Regulations within the healthcare field are increasing. More and more federal, state, and local agencies are developing rules and regulations for the healthcare industry. Complying with regulatory agencies is a very important part of managing security in the healthcare arena. Several federal and state agencies influence security services within the healthcare environment. In order to comply with healthcare security regulations, it is important to understand the rules and regulations created by each regulatory agency and the meaning behind the regulations that they enforce. A firm understanding of all regulations that involve security can help us to run an effective and efficient security program.

The Joint Commission is a nonprofit organization that has accredited thousands of healthcare organizations and programs in the United States. A majority of state governments recognize Joint Commission accreditation as a condition of licensure for the receipt of Medicaid and Medicare reimbursements. The Joint Commission was formerly the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), and previous to that the Joint Commission on Accreditation of Hospitals (JCAH).

The Joint Commission started a program in 1996 to improve patient care by collecting and sharing knowledge and statistics on adverse events occurring within the organizations it accredited. Called a “sentinel event,” each hospital organization is required to report unexpected occurrences, such as accidental death, serious physical or psychological injury, and infant abduction. The hospital completes an in-depth analysis to determine what caused the event and how the event can be prevented in the future. An adverse or undesirable event includes patient falls, medication errors, procedural errors/complications, completed suicidal behavior, and missing patient events. The Joint Commission has also requested that healthcare members investigate “near misses.” A near miss is a situation that could have resulted in an accident, injury, or illness but did not. An example of a near miss would be a surgical or other procedure almost performed on the wrong patient due to lapses in verification of patient identification but caught at the last minute.

The Joint Commission expects organizations to conduct a full investigation into why the adverse event occurred and determine what can be done to prevent it from recurring. The process that the Joint Commission utilizes for the investigation and prevention of adverse events is called “root cause analysis.” Root cause analysis is a process for identifying the basic or contributing factors that contribute to variations in performance. A root cause analysis focuses primarily on systems and processes, not individual performances. Root cause analysis is not about blame or negligence; it is about finding methods or processes to improve the situation in order to prevent its recurrence. Security may be involved in a root cause analysis when an event involves a process that security is part of, for example, an infant abduction or patient elopement.

The Joint Commission requires hospitals to collect information to monitor conditions in the hospital environment and improve security program processes. This information or data is collected in order to manage risk, risks that are identified by the security department through internal sources such as ongoing monitoring of the Environment of Care, results of root cause analyses, and results of annual risk assessments. External sources such as sentinel event alerts, trade publications, and local, state, and national news events. The collection process must include the continued monitoring, reporting, and investigating of security-related incidents that involve patients, staff, visitors, and volunteers, as well as the analysis and trending of collected data on potential high-risk incidents. The collection of data should include a yearly assessment of risk within the hospital and the identification of high-risk areas or what the Joint Commission calls “security-sensitive areas.” The security department should use the results of data analysis to identify opportunities to resolve security issues and minimize or eliminate the identified security risks. As part of the analysis process, the security department must develop and monitor what are called performance indicators. These are data metrics developed from the collection and analysis of security-related data. The resulting data analysis should be used to measure improvement in security issues and risks. ¹

The Joint Commission requires all hospitals to development and implement a written “security management plan.” The plan should describe how the organization establishes and maintains a program that protects staff, patients, and visitors. The plan should designate those persons responsible for developing, implementing, and monitoring the plan and address all of the Joint Commission standards within the plan. For example, the plan should outline, but not detail, the controlling of access to and from sensitive areas or how the security department will provide for vehicular access to the emergency department. The plan should be written in plain English and outline the activities and actions of the security department, including its mission statement and department values. Many hospitals write their security plan by recording the individual standards and then describing the processes that the hospital uses to meet each standard. This is the best technique in writing the plan. The Joint Commission prefers this type of written plan because a surveyor can easily review the plan and see how the plan meets the standards. The security management plan should be reviewed annually when the new standards are published. This will keep the plan up to date and allow the security department to stay in compliance with the Joint Commission while modifying operations and processes as necessary to meet standards.

The Joint Commission wants security departments to evaluate staff performance based on their job responsibilities and training. This evaluation should be conducted at least yearly or as necessary to ensure the highest level of staff performance. This evaluation should be documented and completed especially where job functions involve direct patient care. For security, that means competence in patient restraint, patient watches, customer service, and any other job functions that relate to patient care. The Joint Commission requires that this assessment method utilize competencies in skills that are necessary to perform security officer work. Competency ­methods include test taking, demonstration/observation, and the use of simulation. Staff competence should start at orientation and be utilized through all training conducted with the security staff for their entire career. Competency assessments should be documented and stored in each employee’s personnel file. When a staff member’s competence does not meet expectations, the Joint Commission wants hospitals to document corrective actions. For example, job functions for each security post or job should be broken down to the essential job components. For officers that stand in the main entrance, competencies may include where the officer stands, what he says to greet patients and visitors, or the checking of employee IDs or visitor passes. Failing a competency evaluation means the security department should provide documented additional training and reassessment to ensure that the officer meets the competency.

The Joint Commission requires that all hospital staff be oriented and educated about the security processes within their area of work and that they possess the knowledge and skill required to perform their responsibilities under the security management plan. The standard requires that personnel be able to describe or demonstrate knowledge of security risks, like infant abduction and reporting procedures for security incidents involving patients, visitors, personnel, and property. Under the Human Resource Standard, hospital personnel that work in designated security-sensitive areas should be able to describe or demonstrate the security risks associated with their area, how to minimize them, emergency procedures for security incidents, and the reporting procedures for security incidents specific to their area. Many hospital security departments use new employee orientation and annual ­in-service training to review security policy and practices with staff. Many hospitals include procedures like workplace violence, active shooter, and escort services and basic crime prevention information in their security ­orientation and annual in-service training.

Training under the Joint Commission includes training community personnel that visit or stay within the hospital. Published within the Human Resource Standard, most hospitals require security to provide training to and act as a liaison with law enforcement personnel while on hospital property. The Joint Commission wants law enforcement personnel to be oriented on hospital and security procedures. Procedures like fire response, smoking, and patient restraint should all be taught to law enforcement personnel who are in the hospital for prisoner security or treatment escort. Because of a number of events that have occurred in healthcare facilities with law enforcement personnel and their prisoner patients, the Joint Commission requires the education of law enforcement personnel that are present in a healthcare facility. This standard includes law enforcement personnel who are guarding an inpatient who is a prisoner or who visit the hospital facility on a regular basis and are present within the facility for an extended period guarding outpatient prisoners. The standard requires that these law enforcement personnel be educated on hospital policy and procedure that may affect them during their time within the hospital. Law enforcement personnel need to be educated on basic safety protocols like fire response and patient restraint, visiting hours, the smoking policy, and the procedure for emergent medical situations like a heart attack. The standard requires the creation and maintenance of a logbook documenting training sessions. Security must document law enforcement personnel training and provide some written educational material to law enforcement personnel. Many hospitals place all of the required information on a laminated card that fits into the officer’s memo book. This way the law enforcement officer has immediate access to the information when needed. Some hospital security departments attend local law enforcement roll calls and provide the necessary information annually.

Hospitals must have a written emergency management plan in place that includes security. The plan requires advance preparation to support security during an emergency and describes the response procedures to follow when emergencies occur. The plan must coordinate its security activities and utilize an “all-hazards” approach that is flexible enough to address the duration, scale, and cause of a specific emergency. The plan should identify security’s capability and response procedures duri...