Becoming a Patient Safety Organization

Rory Jaffe, MD, MBA | July 1, 2011

View more articles from the same authors.

Perspective

While I was the first employee of the California Hospital Patient Safety Organization (CHPSO), its story began years before my arrival. The California Hospital Association (CHA) was a strong supporter of the Patient Safety and Quality Improvement Act (PSQIA) and, after the law's passage in 2005, the CHA established a not-for-profit patient safety organization (PSO) to serve California hospitals and their patients. A board of directors was selected and a preliminary business plan established prior to hiring personnel. Thus, when I was hired in September 2008, we had a jumpstart on the process.

There are several business models for PSOs, and their startup processes and challenges differ. Some PSOs are components of a larger business enterprise, such as an incident reporting system vendor. Others are standalone entities or affiliated with a small consulting company that focuses on a particular patient safety issue (e.g., peer review). Finally, a number of PSOs like CHPSO are associated with professional organizations—in our case, CHA.

Being a component of a professional organization confers several advantages, including the following:

Our parent organization is already well known to our potential members, who can trust that the parent organization will ensure quality work.
Non-core business functions (e.g., payroll, human resources, and office services) are supplied by a sophisticated entity.
We already have a great source of information and ongoing advice: CHA has member committees, providing communication channels that make it easier to identify our members' needs and obtain feedback on our initiatives.

When AHRQ started accepting applications, we were able to almost immediately apply for listing as a PSO because we already had developed preliminary policies and procedures based on the proposed rule, a business plan focused on patient safety, and a well-functioning organizational structure—all part of the listing prerequisites. Our challenges were mainly around the need to have appropriate security for Patient Safety Work Product (PSWP) (Table 1). The security measures required are significantly higher than maintained by many organizations, and there are considerable costs to operating an appropriately secure system.

CHPSO easily complied with the listing requirements, and became the second listed PSO in the nation. Until we obtained our secure information system, we held the PSWP in an isolated secure computer or in paper form. While this provided excellent security, it was not usable once we scaled up our data collection.

Recognizing the potential for significant economies of scale for both information security and database management, we decided to contract with a vendor. With a number of other PSOs wanting to take the same course, vendors providing PSO "backend" services began to develop sophisticated products. Because of Common Formats (common definitions and reporting formats, specified by AHRQ, that allow health care providers to collect and submit standardized information regarding patient safety events) and well-defined regulatory requirements for PSOs, vendors' offerings became similar. This convergence took place over time, as we all were developing a greater understanding of what it would take to successfully provide comprehensive PSO services (Table 2).

Getting a PSO listed and functioning can be rather "cookbook"—the PSQIA and its associated rules are prescriptive in many areas. But the larger question remained: What do we do with this capability? Here we started with a nearly blank page.

Other industries (e.g., aviation) have significant experience collecting and analyzing incident reports. However, the health care industry, while it may share some of the characteristics of others, is not an exact replica of aviation or any other industry.¹ While we can benefit from the experiences of other health care incident reporting systems, including the Pennsylvania Patient Safety Authority and the United Kingdom's National Patient Safety Agency², the PSQIA provides PSOs some additional opportunities.

One of the key aspects of the PSQIA is that it implements the Institute of Medicine's recommendation to "break down legal and cultural barriers that impede safety improvement."³ CHPSO believes that breaking down these barriers is one of the most important things PSOs can do. The PSWP privilege allows us to "break out of our boxes"—to broadly discuss events and share lessons learned. Peer-review protections and attorney–client privileges create the opposite tendency: to inhibit open communication regarding errors and safety hazards.

We are working with our members to understand the implications of these changes and how to best utilize our skills and capabilities to eliminate preventable harm and improve the quality of health care delivery in California hospitals. We still are fine-tuning our plans, but following are several of CHPSO's priorities:

Perform focused analysis of selected rare events. We see this as the "core competency" of a large-scale event analysis system, such as a PSO. Common events (e.g., health care–associated infections, falls) may be so common that individual hospitals or hospital systems have enough experiences to understand many of their causes. With rare events (such as wrong-site surgery), aggregation and review across many institutions can provide an understanding that is impossible to obtain otherwise.⁴
Utilize the new PSWP protections to encourage communication about events both within an institution as well as among CHPSO participants. Systems issues are by their very nature widespread—sharing can speed learning and help develop best practices. And informal collaborations among providers can provide essential feedback from trusted colleagues.⁵ The rules governing preexisting protections (e.g., peer review, attorney–client communications), while reasonably secure in California, are oriented towards restricting communications to a limited group, not sharing, even within a single institution. And in states with limited protections, communications even within small groups can be inhibited by fear of litigation.
Disseminate experiences and lessons learned. Many have learned important lessons through difficult experiences. Now we can share and help each other.
Foster changes in health care delivery that reduce the risk human error will harm patients, such as standardization of care, checklists, and improved human–equipment interfaces.

CHPSO still has much work to do. We are working with hospitals to help them understand this new legal privilege along with the new privacy and security rules. We are evaluating how to handle our data needs not satisfied by the Common Formats. In addition, we are working with state regulators on how to best collaborate and achieve our mutual goals in patient safety, while maintaining our other responsibilities—including confidentiality and enforcement, respectively.

Improving patient safety is not a simple task, nor can success come quickly. But now, with the tools provided by the PSQIA, we can help health care providers succeed in their goal of providing safe care.

Rory Jaffe, MD, MBA Executive Director, California Hospital Patient Safety Organization

References

1. Morton A, Cornwell J. What's the difference between a hospital and a bottling factory? BMJ. 2009:339;b2727. [Available at]
2. Panesar SS, Cleary K, Sheikh A. Reflections on the National Patient Safety Agency's database of medical errors. J R Soc Med. 2009:102;256-258. [go to PubMed]
3. Kohn L, Corrigan J, Donaldson M, eds. To Err is Human: Building a Safer Health System. Washington, DC: Committee on Quality of Health Care in America, Institute of Medicine. National Academies Press; 1999. ISBN: 9780309068376. [Available at]
4. Caplan RA, Posner KL, Ward RJ, Cheney Fw. Adverse respiratory events in anesthesia: a closed claims analysis. Anesthesiology. 1990:72;828-833. [go to PubMed]
5. Hines S, Luna K, Lofthus J, et al. Becoming a High Reliability Organization: Operational Advice for Hospital Leaders. Rockville, MD: Agency for Healthcare Research and Quality; February 2008. AHRQ Publication No. 08-0022. [Available at]
6. Patient Safety Work Product [definition]. Washington, DC: US GPO Access, Government Printing Office; 2011. [Available at]
7. Patient Safety Organization: Certification for Initial Listing. Rockville, MD: Agency for Healthcare Research and Quality; 2011. [Available at]

Tables

Table 1. Patient Safety Work Product (PSWP) defined (abridged).⁶

(Go to table citation in the text)

PSWP includes data, reports, records, memoranda, analyses (e.g., RCAs), written or oral statements, (or copies of any of this material) that:

Could improve patient safety, health care quality or health care outcomes and are assembled or developed for reporting to a PSO and are then ultimately reported to a PSO; or
Identify or constitute the deliberations or analysis of, or identify the fact of reporting pursuant to, a patient safety evaluation system.
PSWP does not include a patient's medical record, billing, discharge information or other information that is collected, maintained or developed separately from the PSES. PSWP is privileged and confidential and is not subject to subpoena, discovery or admission into evidence.
Even when disclosed, it maintains confidentiality and privilege. These protections enable all health care providers to share data within a protected legal environment, both within and across states, without the threat of information being used against the subject providers.

Table 2. Outline of Initial PSO Listing Requirements.⁷

(Go to table citation in the text)

The mission and primary activity must be to conduct activities that are to improve patient safety and the quality of health care delivery.
The PSO must have appropriately qualified workforce members, including licensed or certified medical professionals.
The PSO cannot be a health insurance issuer or owned, managed, or controlled by a health insurance issuer.
To the extent practical and appropriate, the PSO must collect patient safety work product from providers in a standardized manner that permits valid comparisons of similar cases among similar providers.
A PSO that is part of a larger entity or is owned, managed, or controlled by another entity must establish a specified set of controls to ensure that the parent entity cannot use PSWP.
The PSO must have written policies and procedures to address:
- Confidentiality and security (and meet specific requirements);
- Efforts to improve patient safety and the quality of health care delivery;
- Collection and analysis of patient safety work product;
- Development and dissemination of information with respect to improving patient safety;
- Utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;
- Utilization of qualified staff; and
- Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system.

In Conversation with…William B. Munier, MD, MBA

July 1, 2011

Editor's note: William B. Munier, MD, MBA, is the Director of the Center for Quality Improvement and Patient Safety (CQuIPS) at the U.S. Agency for Healthcare Research and Quality. Dr. Munier is an experienced health care leader, having served as the president of a health care information technology software company, a partner at Ernst & Whinney, the director of the Department of Defense Civilian Peer Review of Military Care program, and the Executive Vice President of the Massachusetts Medical Society, publishers of the New England Journal of Medicine. Among his many responsibilities as Director of CQuIPS is to implement the 2005 U.S. law that authorized the formation of Patient Safety Organizations (PSOs).

Dr. Robert Wachter, Editor, AHRQ WebM&M: Why don't you start by you telling us what a PSO is?

Dr. William B. Munier: A Patient Safety Organization is a new or existing organization that applies to be officially listed by the department to engage in Patient Safety Activities, reviewing the quality and safety of care. What makes PSOs different from before is that through a federal statute passed in 2005, PSOs get special protections. They get legal protections in terms of privilege, meaning that the deliberations of the PSO are protected from discovery in court, and those deliberations carry with them certain obligations to be maintained in confidence. What this does for the people doing the analysis, and for the institutions where they work, is create a culture of safety where people feel free to report incidents that go wrong, near-misses, any kind of concern that they might have about quality or safety of care. PSOs can receive reports on quality and safety from any provider of health care. So it's not limited to hospitals—it can be nursing homes, ambulatory surgery centers, doctor's offices, free-standing clinics, any provider of care that wishes to align with a PSO can be assured that they can review quality and safety of care with those legal protections.

RW: Are there any other benefits to being in a PSO in terms of support that AHRQ gives these organizations, or networking across organizations?

WM: Perhaps the most significant kind of support has to do with providing common definitions and reporting formats, so that PSOs can collect information in a standard way to allow Patient Safety Events to be aggregated and analyzed. So somebody collecting information on medication errors at one PSO can be sure that they're collecting information in a standardized way. The information that is submitted at a national level into something called the Network of Patient Safety Databases, by statute and by regulation, must be de-identified very completely before it is submitted for aggregation. De-identification can be expensive, and it could be done in a number of different ways, which again might make data not able to be compared easily. So AHRQ is supporting an organization at a national level that will de-identify any PSO's data, free of charge, before sending it in to the Network of Patient Safety Databases. That represents significant assistance to PSOs. We also provide quite a lot of technical assistance free of charge. People call our offices and we take whatever time is necessary to help people understand the law, the regulation, and what is necessary to become a PSO, remain a PSO, and operate as a PSO.

RW: Let me see if I can better understand the national piece. So if I'm a PSO, let's say in a region, and we have created a network where we're sharing data within our PSO across hospitals and nursing homes, does all that information flow to a national database, or is it my choice as to how much of it does? Are there lessons learned at the national level that flow back to the individual PSOs? How does that interaction between individual PSOs and the national network work?

WM: The entire PSO program is voluntary for everyone except AHRQ, which obviously administers the program. There is no mandate that makes PSOs exist, either a certain number of them or a geographic spread. The establishment of PSOs and providers working with established PSOs is all on a voluntary basis. The attraction is because people would like to have the protections afforded by PSOs and we'd like to be able to compare their performance and understand what other people are doing, share lessons learned, and essentially participate in a larger learning community. With respect to what gets sent in or doesn't get sent in, the boundaries for PSOs are not only any provider organization or institution, it's also all of quality and safety; The Patient Safety Act is very broad, and it essentially says any quality or safety activities can be considered. For the purposes of this conversation, we can say that the Network of Patient Safety Databases will collect information from any PSO that wishes to send it on, initially starting with acute care hospitals.

RW: Tell us about the PSOs that have already formed. What are these organizations like?

WM: We really have a fairly broad mix of organizations. We do have a couple of IT vendors that have become PSOs. We have components of state hospital associations, provider groups, and consortiums looking at quality and safety for a number of different provider groups across the country. We have organizations that were doing quality and safety analysis before, sort of proto-PSOs if you will, and new organizations have been formed and incorporated solely to become PSOs. We have some that are broad PSOs that cover all kinds of quality and safety issues, and some that are focused on very specific areas of care.

RW: You mentioned that what appears to be the greatest motivation so far is the legal protections offered under the legislation. In many states, you already have significant legal protections around data that you're sharing—at least within your organization—around quality and safety. Can you talk a little about the variations in those kinds of laws from state to state and how that is interacting with the amount of enthusiasm that you're seeing for PSOs?

WM: Because AHRQ is defining common definitions and reporting formats, we have provided an organizing focus so that people from across the country, and even potentially across the world, can report information on patient safety in a way that is defined clinically in a congruent way and defined electronically in an interoperable way so that information can be aggregated at a larger scale. We're told that a lot of the appeal for the organizations that have signed up to become PSOs comes from trying to aggregate information and learn more rapidly from pattern analysis of aggregate data on a larger scale than has been possible before. Now, that advantage is linked to a legal advantage because the states do differ a great deal in the level of legal protection offered by various state statutes. Some offer little or no protection for review of the quality and safety of health care.

For example, the state of Florida had a ballot initiative where the constitution was amended by referendum, and peer review protections that had existed were stricken, so that Florida does not have state-level peer review protection for reviews of quality and safety. That has left the quality and safety risk management departments of hospitals, nursing homes, and so on somewhat nervous about conducting review, because the minutes and any of the deliberations or reports are all discoverable in court, if I understand the Florida constitution as it affects this issue correctly. So that information, used in a quality committee to try to make care safer in an institution, could be used by people to try to establish a basis for a malpractice suit. This situation can have a substantial chilling effect on the review process. There are many other states where the protection is less than fully adequate. Most states, even if they do have peer review protection, provide it within institutional walls, and it may be limited to just hospitals or to other specific health care organizations. It's a very common attribute of that kind of legislation that the information is protected when it's within a hospital or within the peer review committee of a hospital, but were it to leave the hospital, it would no longer be protected. Moreover, by definition, any state protection ceases once the information leaves the state. For instance, if you have a hospital chain with hospitals in many states, they cannot aggregate information across state lines easily or even across hospitals within a state without, in most cases, losing legal protection. So what the Patient Safety and Quality Improvement Act of 2005 does is provide protections that allow a rational aggregation and analysis of data on clinical units that make sense, whether they cross state lines or whether they cross institutional lines. So people can aggregate date regionally or nationally and look at performance on a broader scale.

RW: In some ways, what PSOs will allow us to do is look at quality issues and safety hazards on a much larger scale across, as you said, across hospital and health care organization lines. And yet, even working within a single hospital, I'm not sure we've completely figured this out. What gives you enthusiasm that this new organizational framework, that's much larger and in many ways more complex, will be able to solve some of these very sticky problems?

WM: I believe we see the world the same way you do in terms of individual institutions that have not necessarily solved all of the issues of integrating analysis and quality and safety improvement activities, even within the institution. To give you one example, we did a survey of about 2,000 hospitals a few years ago. The whole survey was about incident reporting systems in those hospitals, to find out how many were automated, how many weren't automated, how many had them, what they reported on. And to your point, we found that 98% of hospitals had an event reporting system. So that was good news. We found that at only 40% of those hospitals did the event reporting system receive any reports on health care-associated infections, which meant that the patient safety team running the event reporting system wasn't talking to the infection control team. This is a perfect example of a fragmentation of efforts at the hospital level.

We have tried to address that problem in the PSO program through the common definitions and reporting formats. Speaking now just about the area we have addressed, which is patient safety in hospitals, we have created common definitions and reporting formats (termed Common Formats) that will cover all patient safety events, no matter how rare or common. We have designed a common way of reporting any adverse event, including incidents, near misses, and unsafe conditions, and it will be standardized throughout the hospital regardless of where it occurs or what type of event gets reported. Basic information is standardized for all events. In addition, more detailed information is standardized for the more common types of events, such as health care–associated infections, medication errors, pressure ulcers, falls, and a few others. Hence the information will be clinically comparable no matter where in the institution an event occurs—or even in what institution it occurs. Information can be reported by different areas in the hospital, and shed light on where events are occurring, as well as aggregated across institutions, by PSO, and nationally.

One might think that AHRQ would have specified what the common formats would be for national reporting, and just define the data that we want to see come in at the national level. We didn't do that. We defined what should be collected at the local level, where care is being delivered at the hospital. The reason for that is two-fold. The first is that if you only define it at the national level and don't specify the details necessary at the point of care, leaving a degree of freedom in terms of what gets reported at the local level, then people may report things differently so that when they're aggregated at the national level they don't mean the same thing. We thought that the opportunity to define things in a common way had to begin where the data are initially collected. That also gave us the opportunity to say, we're going to define a system that doesn't work just at the national level, it works at the local level. So we are defining the queries that providers or institutions want to make, we're defining the data that need to be collected to answer those queries, and we're defining those reports that need to be run at the local level to report on what has been found. We're also issuing technical specifications so software developers can develop systems both to collect and to report on patient safety events and unsafe conditions at the local level, and transmit to the PSO and the Network of Patient Safety Databases. That will allow local institutions to run their own reports without having to wait to get them back from the national level. Then the aggregate reports can be done on all medication errors in the institution over some time period so that the system should work to support risk management and quality improvement in local institutions. The same kinds of reports that are available for the local institution provide the foundation for rolling up at the PSO level and to the national level, which also provides the ability to benchmark or compare findings at one hospital with another, one PSO with another, and nationally. So that's how we address the needs of the local institution to rationalize and harmonize what they're doing and integrate it at higher levels of aggregation.

RW: When the legislation was passed, there were maybe only a couple of state-required reporting systems on the NQF "Never Events" List. The HITECH law wasn't passed, which is infusing billions of dollars to promote health care IT, and health reform hadn't been passed, which changes a number of things related to quality and safety. So how has the agenda for PSOs evolved in light of these really remarkable changes in the landscape of safety, quality, and health care more generally?

WM: The simple answer is that none of those activities actually address the need that PSOs fill. In other words, none of them, at least to the best of my knowledge, address the issues of privilege and confidentiality in a way that sets up the protected space that enables the creation of a culture of safety and free reporting of adverse events and unsafe conditions. To a large extent, the PSO law that passed 5 years ago still retains its relevance and its uniqueness. I could add to the list the increasing requirement of CDC's National Healthcare Safety Network (NHSN) system for health care-associated infections, which I believe is now required by more than 20 states; there were few, if any, mandatory requirements for NHSN back in 2005. I think the CDC was operating at about 350 hospitals then, and now they're in several thousand. Those are all events that obviously have changed the reporting landscape, as you correctly note.

The HITECH Act and other initiatives dealing with IT try to simplify providers' lives by automating things with the computer. However, if you have two different systems and they're on paper, it's almost easier to sit down and knock heads in a room and get some kind of collaborative agreement on how you're going to unify them. If you've got two different systems that are supported by computer code, it's a rather more expensive and lengthy process. So to some extent, the increasing automation of everything has on the one hand offered the opportunity for harmonization, more efficient data collection, reporting, and much more powerful ability to analyze. But it's also increased the likelihood of creating silos encased in concrete. What we're trying to do, recognizing that fact, and recognizing that the end user of all of this—the provider, the hospital, the doctor's office—are finding reporting burdens increasing and becoming more of a problem, with different people requiring the same event to be reported in different ways. We are trying to work with other organizations to begin to foster harmonization and standardization in the way data are collected. So for instance, we're working closely with the CDC to harmonize what we do in PSOs with the NHSN system, and in fact, we have an interagency committee that includes all of the major health agencies in the Department of Health and Human Services as well as the Department of Defense and the Department of Veterans Affairs. These agency representatives work with us to achieve consensus on the Common Formats. We also use the National Quality Forum to obtain public feedback, so we've been able to get hundreds and hundreds of comments on the Common Formats from interested parties, including states and professional associations as well as the public and providers. The NQF also convenes an expert panel that provides AHRQ with advice on public comments received and on the Common Formats themselves.

We're trying to the best of our ability to act as an agent to work collaboratively with the health care community to begin to represent things in a fashion that is scientifically supportable, represents the consensus of the stakeholder communities, and begins to rationalize both substantively and electronically how things are represented. The ultimate goal is that the end user, where care is delivered, would ultimately report only what's important. Data would be collected only once. If reports are needed by the CDC, the FDA, the state, and a PSO, data get collected once and sent wherever they need to go. A provider is not burdened with multiple data reporting requirements from multiple parties regarding the same events.

RW: You are in a position where you're likely going to be asked to report something about rates of safety events, even though in a voluntary system those are always going to be biased. You see examples of this all the time—private and governmental organizations that report the number of incidents in their systems, and one doesn't know whether these reports reflect their actual safety or their reporting practices. Have you come with an answer to that conundrum?

WM: My preference is that we won't report anything that isn't valid, and we'll caveat it however we need to. I think the reliability of the information and not exaggerating what we have is essential to our credibility. In addition, we're very sensitive to legitimate concerns on the part of the people who have to collect this information about the volume of data collection. We are guided by a principle that nothing should get collected unless one has already decided exactly why it's important to collect it, and how it's going to be used in a report. We're defining clinical questions for which we want answers, and then we're stipulating how the data that get collected to answer those questions are actually used in a report that will run at the institutional level. Any data that might be collected—if it's not going to be used in a report, we don't collect it. We also recognize that even with those strict rules, there can be things that it's nice to have, but there's a tradeoff between the value of the information collected and reported, and the time it takes to collect it. We're trying to get that balance right. In the end, if the whole collection analysis and reporting effort is not improving care to patients, then it needs to be changed until it is, and nothing should get collected or reported that doesn't drive toward that end. We keep that as our goal.

This project was funded under contract number 75Q80119C00004 from the Agency for Healthcare Research and Quality (AHRQ), U.S. Department of Health and Human Services. The authors are solely responsible for this report’s contents, findings, and conclusions, which do not necessarily represent the views of AHRQ. Readers should not interpret any statement in this report as an official position of AHRQ or of the U.S. Department of Health and Human Services. None of the authors has any affiliation or financial involvement that conflicts with the material presented in this report. View AHRQ Disclaimers