Attachment C: Guidance Regarding Patient Safety Organizations’ Reporting Obligations and the Patient Safety and Quality Improvement Act of 2005 (Guidance)

Department of Health and Human Services Guidance Regarding
Patient Safety Organizations’ Reporting Obligations and the Patient
Safety and Quality Improvement Act of 2005
The Patient Safety and Quality Improvement Act of 2005 (the Patient Safety Act), and
the implementing regulations at 42 CFR Part 3, provide for the disclosure of information
relating to patient safety events by health care providers to entities known as “patient
safety organizations” (PSOs). The statute attaches privilege and confidentiality
protections to this information, termed “patient safety work product” (PSWP), to
encourage providers to assemble and report this information without fear of liability, and
provides for the certification and listing of PSOs, which receive this information and
analyze these patient safety events so as to improve patient safety and the quality of care.
The Agency for Healthcare Research and Quality (AHRQ), within the Department of
Health and Human Services (HHS), is responsible for certifying and listing entities as
PSOs based on their meeting certain criteria, with continued listing contingent upon their
continuing to meet such criteria. AHRQ may also certify and list “component PSOs,”
which are “component organizations.” A “[c]omponent organization means an entity
that: (1) [i]s a unit or division of a legal entity (including a corporation, partnership, or a
Federal, State, local or Tribal agency or organization); or (2) [i]s owned, managed, or
controlled by one or more legally separate parent organizations.” 42 CFR 3.20. The
Office for Civil Rights (OCR) within HHS is responsible for interpretation,
administration and enforcement of the confidentiality protections and disclosure
permissions of the Patient Safety Act and Rule.
The purpose of this Guidance is to address questions that have arisen regarding the
obligations of PSOs where they or the organization of which they are a part are legally
obligated under the Federal Food, Drug, and Cosmetic Act (FDCA), 21 U.S.C. § 301 et
seq., and its implementing regulations to report certain information to the Food and Drug
Administration (FDA) and to provide FDA with access to its records, including access
during an inspection of its facilities. For example, FDA-regulated device manufacturers
who are subject to FDA medical device reporting requirements may seek listing for a
component PSO. See 21 U.S.C. § 360i(a) and 21 CFR Part 803. This Guidance applies
to all entities that seek to be or are PSOs or component PSOs (collectively, “PSOs”) that
have mandatory FDA-reporting obligations under the FDCA and its implementing
regulations (“FDA-regulated reporting entities”) or are organizationally related to such
FDA-regulated reporting entities (e.g., parent organizations, subsidiaries, sibling
organizations). This Guidance provides: 1) clarification regarding the Patient Safety Act
statutory and regulatory provisions that provide for disclosure pursuant to the Patient
Safety Act, and 2) the circumstances under which a conflict of interest may prevent the
listing (or require the delisting) of a component PSO and the steps the Department is
taking to prevent and address such conflicts. This Guidance should be used by currently
listed PSOs and entities seeking to be listed as PSOs that are, or are organizationally

Issued: December 2010

“Department of Health and Human Services Guidance Regarding
Patient Safety Organizations’ Reporting Obligations
and the Patient Safety and Quality Improvement Act of 2005”

1

related to, FDA-regulated reporting entities, and will be used by AHRQ in making listing
and delisting decisions.
Provisions Providing for FDA Reporting and Access to PSWP
In enacting the Patient Safety Act, Congress protected PSWP as privileged and
confidential, and also recognized that exceptions to these protections are warranted in
some limited circumstances such that the disclosing of PSWP would be permitted. In
regard to the FDA, the Patient Safety Act 1) permits providers to disclose PSWP to the
FDA with respect to a product or activity regulated by the FDA (the “FDA Exception”),
and 2) permits any person or entity to disclose to the FDA PSWP necessary to meet
required reporting obligations to the FDA (“the FDA Rule of Construction”). These
provisions recognize that the Patient Safety Act works in concert with FDA laws in
pursuit of their common goal of promoting and protecting patient safety. The FDA Rule
of Construction ensures that PSOs that are FDA-regulated reporting entities and PSOs
that are organizationally related to FDA-regulated reporting entities cannot avoid their
mandatory reporting obligations to the FDA under the FDCA and its implementing
regulations, and otherwise permits the effective operation of the FDA reporting system.
The FDA Exception
The confidentiality requirements of the Patient Safety Act do not apply to or prohibit a
“[d]isclosure by a provider to the Food and Drug Administration with respect to a product
or activity regulated by the Food and Drug Administration.” 42 U.S.C. § 299b22(c)(2)(D). The final rule implementing the Patient Safety Act regulation at 42 CFR
3.206(b)(7)(i) provides that the confidentiality provisions shall not apply to or prohibit:
"Disclosure by a provider of patient safety work product concerning an FDA-regulated
product or activity to the FDA, an entity required to report to the FDA concerning the
quality, safety, or effectiveness of an FDA-regulated product or activity, or a contractor
acting on behalf of FDA or such entity for these purposes.” Subsection (b)(7)(ii)
provides that: “Any person permitted to receive patient safety work product pursuant to
paragraph (b)(7)(i) of this section may only further disclose such patient safety work
product for the purpose of evaluating the quality, safety, or effectiveness of that product
or activity to another such person or the disclosing provider.”1
The preamble to the final rule implementing the Patient Safety Act responded to a
number of comments on the FDA Exception. The following comment and HHS response
are relevant here. The comment, as indicated in the regulation at 73 Federal Register
70732, 70782 (November 21, 2008), states: “Comment: Five commenters asked that the
final rule allow PSOs as well as providers to disclose or report patient safety work
1

We also note that the Patient Safety Act does not interfere with or affect providers voluntarily sharing
non-PSWP with the FDA, which can include analyses of adverse events that were not assembled or
developed for reporting to a PSO or information that exists separately from a patient safety evaluation
system (PSES). PSES is defined in the Patient Safety Act’s regulation as “the collection, management, or
analysis of information for reporting to or by a PSO.” 42 CFR 3.20.

Issued: December 2010

“Department of Health and Human Services Guidance Regarding
Patient Safety Organizations’ Reporting Obligations
and the Patient Safety and Quality Improvement Act of 2005”

2

product to the FDA or to an entity that is required to report to the FDA.” HHS’ response
was as follows: “We do not modify the provision as there is no statutory authority to
allow PSOs to report patient safety work product to the FDA or to an entity required to
report to the FDA. However, the statute does permit providers to report patient safety
work product to the FDA or to an entity required to report to the FDA.” (emphasis
added).
The response to the comment was intended to explain that the FDA Exception set forth in
42 U.S.C. § 299b-22(c)(2)(D) only pertains to disclosure by a provider, not by any other
entity. To avoid any misinterpretation of the response to the comment, this Guidance
clarifies that the response is limited to the scope of 42 U.S.C. § 299b-22(c)(2)(D), as
reflected in 42 CFR 3.206(b)(7). Also, to avoid any misinterpretation of the response to
the comment, this Guidance clarifies that, independent of the FDA Exception, the FDA
Rule of Construction operates to permit the disclosure of PSWP to the FDA to meet
required reporting obligations. Thus, there is statutory authority (i.e., the FDA Rule of
Construction) that allows PSOs to report PSWP to the FDA. The FDA Rule of
Construction is discussed in more detail below.
The FDA Rule of Construction
The Patient Safety Act includes a provision at 42 U.S.C. § 299b-22(g)(6), the “FDA Rule
of Construction,” which states that “[n]othing in this section shall be construed . . . to
limit, alter, or affect any requirement for reporting to the Food and Drug Administration
information regarding the safety of a product or activity regulated by the Food and Drug
Administration.” (emphasis added.) The Patient Safety Act added sections 921 to 926 to
the Public Health Service Act. The “section” that is referenced in the FDA Rule of
Construction is section 922 of the Public Health Service Act, 42 U.S.C. § 299b-22, which
includes all of the Patient Safety Act’s privilege and confidentiality protections and
exceptions. Thus, the privilege and confidentiality protections in the Patient Safety Act
cannot be construed to limit, alter, or affect any requirement for reporting information to
the FDA regarding the safety of an FDA-regulated product or activity.
FDA-regulated entities generally have mandatory adverse event reporting responsibilities
under the FDCA and its implementing regulations. One example of such FDA
mandatory reporting requirements is device manufacturers’ medical device reporting
(MDR) responsibilities. See 21 CFR Part 803. If a device manufacturer has a component
PSO, the device manufacturer must have access to certain complaint/adverse event
information the PSO receives as PSWP in order to fully comply with its MDR
responsibilities under the FDCA. Under the FDCA and its implementing regulations,
device manufacturers are required to establish and maintain MDR event files and
complaint files, and must also establish and maintain procedures for receiving, reviewing,
and evaluating complaints by a formally designated unit. See 21 CFR 803.18 and 21
CFR 820.198. In addition, certain records, including complaint files, must be maintained
at the manufacturing establishment or other location that is reasonably accessible to
responsible officials of the manufacturer and to FDA employees designated to perform

Issued: December 2010

“Department of Health and Human Services Guidance Regarding
Patient Safety Organizations’ Reporting Obligations
and the Patient Safety and Quality Improvement Act of 2005”

3

inspections, and MDR event files must be clearly identified and must be maintained to
facilitate timely access. See 21 CFR 803.18 and 21 CFR 820.180. A device
manufacturer must permit any authorized FDA employee, at all reasonable times, to
access, to copy, and to verify MDR event files. 21 CFR 803.18(b)(2).
This Guidance clarifies that the FDA Rule of Construction is to be read broadly to permit
PSOs that are, or are organizationally related to, FDA-regulated reporting entities to
report to the FDA, including where such reports contain PSWP collected or developed by
the FDA-regulated reporting entity or a PSO organizationally related to the FDAregulated reporting entity. This Guidance clarifies that the reporting requirements
referenced in the FDA Rule of Construction encompasses the steps FDA may take under
the FDCA, including FDA inspection, to ensure FDA-regulated reporting entities are
making all required reports under the FDCA and are adequately evaluating and
investigating adverse events/complaints. Thus, FDA may inspect facilities and any
adverse event/complaint files, including files containing PSWP that are held by PSOs that
are FDA-regulated reporting entities or a PSO that is organizationally related to an FDAregulated reporting entity. In addition, under the FDA Rule of Construction, the FDAregulated reporting entity may have access to all complaint and adverse event files related
to its products, including files containing PSWP that it creates or receives as a PSO or
that is created or received by a PSO organizationally related to the FDA-regulated
reporting entity.
Upon disclosure to the FDA pursuant to the Rule of Construction (whether through the
FDA-regulated reporting entity or directly to the FDA), PSWP will no longer be
considered privileged or confidential. Based on this Guidance, PSWP received by the
FDA under the FDA Rule of Construction is not subject to continued protection under the
Patient Safety Act, and therefore can be used by the FDA for enforcement purposes to
ensure the safety of FDA-regulated products or activities. For example, FDA may seek
civil money penalties for violations of the FDCA, including violations of adverse event
reporting requirements, or injunctions to prevent unsafe products from being placed in
the marketplace.
In conclusion, the Patient Safety Act’s mandate that nothing in the Act’s privilege and
confidentiality provisions shall be construed to “affect any requirement for reporting” to
the FDA prevents the use of PSOs by FDA-regulated reporting entities to avoid their
obligations to the FDA and otherwise permits the effective operation of the FDA patient
safety system created by Congress.
Conflict of Interest
The Patient Safety Act establishes criteria for the certification and listing of PSOs.
Entities that wish to be component PSOs must meet these criteria as well as additional
requirements if they are to be (and remain) component PSOs. One of these additional
requirements is the requirement that “the mission of the [component PSO] does not create
a conflict of interest with the rest of the organization.” 42 U.S.C. § 299b-24(b)(2)(C).

Issued: December 2010

“Department of Health and Human Services Guidance Regarding
Patient Safety Organizations’ Reporting Obligations
and the Patient Safety and Quality Improvement Act of 2005”

4

This Guidance addresses two points: first, as discussed above, for an FDA-regulated
reporting entity, there is no inherent conflict between its obligations to FDA under the
FDCA and its obligations under the Patient Safety Act; and second, how to avoid any
potential conflict of interest.
Generally the mission of a component PSO that is a part of an FDA-regulated reporting
entity does not create a “conflict of interest” with the rest of the organization. For
example, a key mission of a component PSO is maintaining the confidentiality of PSWP
under the Patient Safety Act. There is no conflict of interest between a component PSO
and the rest of the organization that is subject to FDA reporting requirements because
disclosure is permitted by the FDA Rule of Construction.
However, a “conflict of interest” between the component PSO and the FDA-regulated
reporting entity may arise where the FDA-regulated reporting entity (or its component
PSO) does not comply with its FDA reporting obligations. A “conflict of interest” arises
where a component PSO misuses its status as a component PSO and its Patient Safety
Act confidentiality mission as a basis for preventing the FDA-regulated reporting entity
or component from meeting its legally-required FDA reporting obligations. Thus, an
entity whose parent organization is an FDA-regulated reporting entity will not be eligible
to be certified and listed as a component PSO unless the entity agrees to disclose PSWP
to its parent and FDA, when required under the FDCA and its implementing regulations,
and provide FDA with access as required by law and as discussed in this Guidance. In
addition, if it is determined that a component PSO does not make such disclosures or
provide such access to the FDA, this would be a basis for delisting that component PSO.
In these situations, there is a “conflict of interest” under the Patient Safety Act in that the
component PSO would be acting in conflict with the responsibilities of the FDAregulated reporting entity of which it is a part to comply with its reporting obligations
under the FDCA and its implementing regulations.
Preventing and Addressing “Conflicts of Interest”
In order to ensure the integrity and effectiveness of both the Patient Safety Act and the
FDA reporting regimes, HHS believes it should deny component PSO certification and
listing to entities that cannot adequately ensure that such certification and listing would
not create a “conflict of interest” between the component PSO and the FDA-regulated
reporting entity of which it is part, and by delisting PSOs that, through their actions,
create a “conflict of interest.”
AHRQ is responsible for certifying and listing PSOs, including component PSOs, and for
delisting such entities when necessary. AHRQ currently requires entities that seek to be
component PSOs to sign an attestation that the statements on the application form, and
any submitted attachments or supplements, are true, complete and correct to the best of
the authorizing official’s knowledge. Included on the application is an opportunity for
the applicant entity to check “yes” or “no” to question number 18: “Will the component
entity ensure that the pursuit of its mission will not create a conflict of interest with the

Issued: December 2010

“Department of Health and Human Services Guidance Regarding
Patient Safety Organizations’ Reporting Obligations
and the Patient Safety and Quality Improvement Act of 2005”

5

rest of its parent organization(s)?” The application form also indicates that if the answer
is “no” for any of the questions, additional clarification may be sought before the
Secretary makes a determination regarding initial listing. In addition, the form indicates
that applicants must promptly notify HHS if any changes take place that would render
any attestation inaccurate or incomplete.
This Guidance clarifies that, in determining whether the component entity is able to avoid
a “conflict of interest”, an affirmative answer to the attestation under question 18 by an
entity applying to be a component PSO that is part of an FDA-regulated reporting entity
has particular meaning. It signifies that the component PSO agrees that it must comply
with all FDA reporting responsibilities, including 1) disclosing relevant PSWP held by
the component PSO to the FDA-regulated reporting entity and to the FDA, and providing
FDA with access to such PSWP (held at the PSO); and 2) having the component PSO
disclose relevant PSWP to the FDA-regulated reporting entity of which it is part in order
to ensure that such entity meets its FDA reporting requirements. The PSWP that is
relevant depends upon the specific FDA requirements relating to the entity. For example,
FDA-regulated manufacturers are subject to mandatory MDR responsibilities pertaining
to device-related adverse events as provided in 21 CFR Part 803.
This Guidance also clarifies that AHRQ may seek additional information as needed for
determining whether an applicant meets the PSO and component PSO criteria. The
Patient Safety Act regulation provides, at 42 CFR 3.102(a)(1)(vii), that entities seeking to
be PSOs or component PSOs, must “[p]rovide other information that the Secretary [of
HHS] determines to be necessary to make the requested listing.” For example, AHRQ
may request additional information from entities that apply to be component PSOs and
may be part of an organization that has FDA reporting responsibilities.
AHRQ may also request additional information from any entities that currently are
component PSOs whose organization includes an FDA-regulated reporting entity so as to
better understand whether they can meet or are meeting their mandatory FDA reporting
requirements and to determine whether there is a “conflict of interest.” 2 AHRQ will also
be asking currently listed component PSOs and entities seeking to be component PSOs to
identify whether they are organizationally related to an FDA-regulated reporting entity.
AHRQ will also be asking component PSOs of FDA-regulated reporting entities to
provide timely notification to currently reporting providers and prospective reporting
providers that the PSO will disclose certain information to the FDA-regulated reporting
entity of which it is part and that FDA will have access to certain adverse event
2

We also note that the Patient Safety Act regulation, at 42 CFR 3.110, “Assessment of PSO compliance,”
states: “The Secretary may request information or conduct announced or unannounced reviews of, or site
visits to, PSOs, to assess or verify PSO compliance with the requirements of this subpart and for these
purposes will be allowed to inspect the physical or virtual sites maintained or controlled by the PSO. The
Secretary will be allowed to inspect and/or be given or sent copies of any PSO records deemed necessary
and requested by the Secretary to implement the provisions of this subpart. Such PSO records may include
patient safety work product in accordance with § 3.206(d) of this part.”

Issued: December 2010

“Department of Health and Human Services Guidance Regarding
Patient Safety Organizations’ Reporting Obligations
and the Patient Safety and Quality Improvement Act of 2005”

6

information received by the PSO as outlined in this Guidance. In addition, AHRQ will
be asking that such notification be included in any contracts that component PSOs have
with providers. Finally, after seeking any needed verification from component PSOs, and
as an aid to providers, AHRQ plans to identify on its website those component PSOs that
it learns are subject to FDA reporting requirements.
Additional Actions to be Taken by AHRQ
PSOs, and entities that seek to be PSOs, are reminded that an entity that is a unit or
division of a legal entity, or that is owned, managed or controlled by one or more legally
separate parent organizations, and that seeks to be a PSO, must apply as a component
PSO. Thus, an entity that would be operating as a PSO and that is part of a larger
organization that engages in FDA-regulated reporting activities, or that has a parent
organization that engages in FDA-regulated reporting activities must seek listing as a
component PSO. In addition, under 42 U.S.C. 299b-24(b)(1)(A), a PSO’s mission and
primary activity must be to conduct activities to improve patient safety and the quality of
health care delivery. Seeking listing as a component PSO helps to ensure that entities
with multiple missions and activities (such as FDA-regulated reporting activities) are in
compliance with this statutory requirement. Given the issues identified in this Guidance,
AHRQ will also be engaging in additional inquiry of applicants and PSOs to determine
whether the entity is organizationally related to an FDA-regulated reporting entity such
that it should be listed as a component PSO (i.e., it is a unit or division of a legal entity,
or is owned, managed or controlled by one or more legally separate parent
organizations.) If the entity should be listed as a component PSO, AHRQ will work with
the entity to pursue such appropriate listing.

Issued: December 2010

“Department of Health and Human Services Guidance Regarding
Patient Safety Organizations’ Reporting Obligations
and the Patient Safety and Quality Improvement Act of 2005”

7