The Patient Safety and Quality Improvement Act of 2005 (PSQIA) offers substantial legal protections to hospitals investigating medical errors, but one must understand the law to attain its full benefits. If one proceeds carefully, much information gathered can be protected from the prying eyes of plaintiffs’ attorneys.

The PSQIA was the federal government’s response to To Err is Human: Building a Safer Health System, the groundbreaking 1999 report by the Institute of Medicine (IOM) that increased the awareness of medical errors.1 The IOM report estimated that 100,000 people die each year because of medical harm that could have been prevented.

The purpose of the PSQIA was to improve the quality of patient care by encouraging confidential review and reporting of adverse patient events, notes Amy L. Blaisdell, JD, an officer with Greensfelder in St. Louis.

To facilitate this objective, the PSQIA created a federal peer review privilege and more sweeping evidentiary protections for materials used therein than typically is available under state law.

Understanding the protections afforded by the PSQIA is important for several reasons, Blaisdell says. First, the PSQIA substantially limits the risk that providers and healthcare systems were exposed to under state peer review statutes.

Historically, efforts to study patient safety events were subject to the risk that the information would be sought in discovery in provider disciplinary hearings, medical malpractice cases, and other legal proceedings.

“The PSQIA created a uniform layer of national protection on top of state law. Peer review professionals can fully investigate and share information regarding medical errors without being subject to discovery in connection with a federal, state, or local civil, criminal, or administrative proceeding,” Blaisdell says. “Specifically, the act protects data, reports, records, memorandum, analyses, and written and oral statements that are compiled and submitted to a Patient Safety Organization [PSO] or developed by a PSO in order to conduct patient safety activities.”

This work product is called Patient Safety Work Product (PSWP).

Helps Provide Uniform Approach

Second, the uniform, national protections that PSQIA created help alleviate the risk that healthcare systems in multiple states will be subject to varying state laws and enable providers to develop a consistent approach for their patient safety activities, Blaisdell says.

Third, the PSQIA allows providers to aggregate data. This helps providers receive the benefit of learning from others’ mistakes. It also allows healthcare systems that report their patient safety activities to PSOs to engage more freely in discussions about adverse patient events to prevent them, Blaisdell says.

The PSQIA creates PSOs to collect, aggregate, and analyze information that healthcare providers submit confidentially. PSOs include all organizations that collect and analyze PSWP. Providers receive feedback on how to improve patient safety and quality of care.

Peer review professionals should determine whether their organization can qualify as a PSO before counting on the protections afforded by the PSQIA, Blaisdell suggests.

Criteria for a PSO

Generally, Blaisdell says there are four steps that must be met to qualify as a PSO. First, the organization must be the type of entity that can establish a PSO. A wide range of entities can form PSOs.

These can include public or private entities, for-profit or nonprofit entities, provider entities, hospital chains, and other entities that establish special components.

The organization must certify that it has established procedures needed to perform eight patient safety activities specified in the PSQIA, Blaisdell explains. This includes establishing policies and procedures to ensure patient safety activities are executed properly.

The organization also must certify that it will comply with seven additional criteria specified in the Patient Safety Rule. The additional criteria focus on the mission and activities of the PSO, the qualification of the PSO’s workforce, reporting to the Secretary of Health and Human Services, and the purposes for which PSWP will be used, Blaisdell says.

Finally, the organization must confirm it meets the requirements to be listed as PSO. “Even if an organization cannot establish its own PSO, it can nevertheless engage in patient safety activities, create PSWP, and report information to another PSO,” Blaisdell says. “As such, the organization can achieve the goal of improving patient safety, while also maximizing the protection under federal law.”

The primary pitfall is the belief that the work begins and ends with establishing a PSO or participating in one. That is only the starting point, Blaisdell cautions. As with developing any policy, the practice is only as strong as its implementation and use. Another pitfall is the failure to educate providers about the existence and scope of the PSO, along with their obligations, Blaisdell says. Education is critical because the PSQIA prohibits providers from disclosing PSWP, absent a specific exception.

Furthermore, the PSO can only achieve its purpose (improving patient safety) by controlling the quality of input and output from the system, she says. There also may be the opportunity to “stack” these protections with those afforded by state law.

“In general, providers and healthcare systems want to access the broadest protections available to them, which will generally be the protections available under the federal act. However, [they] should never ignore the protections that are available under state law,” she says.

“They should ensure that they understand the extent to which state laws provide different protections from the federal law," Blaisdell continues. "Once they have done so, they should establish a uniform process through which all patient safety activities are conducted. This makes clear that the process is intended to be conducted under the broadest confidentiality protections available under the act and state law.”

Organizations that establish or participate in PSOs should create a PSO and PSWP policy, which explains that the purpose of the PSO is to improve patient safety in accordance with the PSQIA’s requirements and applicable state law, Blaisdell says.

At a minimum, Blaisdell says the policy should meet these requirements:

  • Define patient safety activities and PSWP in accordance with the PSQIA;
  • Outline the practice for reporting of patient safety information to the PSO;
  • Make clear that all patient safety activities are subject to the policy;
  • Stress that the maximum available confidentiality protections under the PSQIA and state law are intended to apply.

Understand What Is Not Protected

It is important to understand what is not protected as PSWP, says Bruce D. Lamb, JD, shareholder with Gunster in Tampa, FL. The PSQIA specifically excludes information prepared for purposes other than reporting to the PSO to improve patient safety.

“That would include patient records and anything prepared for mandatory reporting to a state agency,” Lamb says.

“This puts the facility in a quandary because it may have obligations to analyze events for multiple reasons,” Lamb continues. “For example, there may be obligations to do so to retain accreditation by The Joint Commission. Most states have some type of obligation to report to them.”

Those reports would not be protected under the PSQIA as PSWP, but they typically are more limited in scope than what would be reported to the PSO, Lamb notes. That information usually covers what practitioner was involved, the nature of the incident, when it occurred, and whether any corrective action was taken. A report to the PSO often is more in-depth, Lamb adds. When the PSQIA was enacted, healthcare leaders were unsure if they needed to run two separate systems of analysis to preserve patient safety privileges.

Since then, the government has provided more guidance. Hospitals can run only one investigation and pull out the documents that must be reported to regulators or accreditation bodies. “Then, you can continue with your process to look for corrective action plans and other information, putting that in your report to the PSO. That information then will be protected as patient safety work product,” Lamb explains.

Many healthcare leaders do not understand the protections afforded by the PSQIA, Lamb says. This is evident in the many court cases in which parties contest whether particular information is protected as PSWP and the hospital is deemed to have stumbled with its processes.

“There is a lot of inconsistency and variability in the outcomes, with courts ordering that the material be turned over to a plaintiff, and others concluding that it is protected,” Lamb explains. “It’s not very well understood, and it’s an evolving area of the law.”


  1. Institute of Medicine. To Err is Human: Building a Safer Health System. Summary. Available at: Accessed Dec. 30, 2019.


  • Amy L. Blaisdell, JD, Officer, Greensfelder, St. Louis. Phone: (314) 516-2642. Email:
  • Bruce D. Lamb, JD, Shareholder, Gunster, Tampa, FL. Phone: (813) 222-6605. Email: