was successfully added to your cart.



By April 30, 2019C&A eNewsletter

PART II:  Addressing Today’s Top Issues with Effective Risk Assessments

Last month, in Part I, examples were shared on some of the risk assessments sought by surveyors.  Let’s look at some daily risk assessments and risk reduction strategies that may be helpful.

Not all required risk assessments are directed by CMS or by the Joint Commission.  Some required assessments are directed from the Office of Civil Rights, Department of Labor, OSHA or the Centers for Disease Control.  Not all expected risk assessments have been directly published in law that can be found in documents like the State Operations Manuals – they are published in what was the CMS Survey and Certification Letters which are now called the Quality and Safety Oversight Group memorandums (QSO’s).  Organizations must be able to identify these expectations to ensure they are capturing necessary components for compliance as well as ensuring the ‘risk appetite’ is being brought to the lowest level possible.

Special Consideration:  Do you think about History and Physicals, Informed Consents, Patient Care Planning and Restraint assessments as risk assessments? Most of us don’t, but they are.   “The purpose of an H&P is to determine whether there is anything in the patient’s overall condition that would affect the planned course of the patient’s treatment, such as an allergy to a medication that must be avoided, or a co-morbidity that requires certain additional interventions to reduce risk to the patient”. (3) ‘To reduce risk to the patient’ is the entire purpose behind any and all risk assessments.  There are multiple types of risk assessments available to an organization that need completion to identify and reduce risk for the patient. The problem is that staff are unaware of these.  Organizations must be diligent in educating staff on the purpose of these risk assessments to ensure that staff understand that risk reduction is the intended purpose for their actions. Some of these daily risk assessments include:

History and Physical 482.24(c)(4) – A0458 and 482.24 (c)(4) – A0461 RC 01.03.01 EP3; RC 02.01.03 EP3; PC 01.02.03 EP4; PC 01.02.02 EP 5; MS 01.01.01 EP16; MS 03.01.01 EP8;
Informed Consents 482.24(c)(4)(v) – A0466 RC 02.01.01 EP4; RI 01.03.01 EP1 and 2; RI 01.03.03 EP3
Patient Care Planning 482.13(e) – A154; 482.23(c)(4) – A 409; 482.43(a) – A0800; 482.51 -A0940; PC 01.02.05 EP1; PC 01.02.08 EP1; PC 01.03.01 EP1
Restraint Management 482.13(e) – A0154 PC 03.05.09


Whether the risk assessment is a comprehensive review of the patient’s condition or a cursory review of a process, the goal is the same; reducing the risk of harm to the patient.  How can an organization complete a risk assessment on everything within the course of hospital operations?  The answer is simple, all risk assessments are interconnected to others and have five basic components.  For example, the Patient Safety Work Plan is made up of at least four different risk assessments:

1) Exposure Control Plan,
2) Medication Management Plan,
3) Infection Prevention and Control Plan and
4) the Patient Needs Assessment – vulnerable patients.

When we conduct our basic patient assessments, we have already completed the bulk of every other risk assessment that we need to complete.


  • First, understand what is required in law, what are recommendations and what is evidence-based medicine.
  • Second, break down the interpretative guidance areas or the elements of performance to see what is ‘must’ have, and what is required in a written plan, policy or evaluation.
  • Third, ensure that the main risk assessments have been completed and are up to date; including:
    • Organizational Written Scope of Service – Resource Allocation Map
    • Patient Population Assessment – cultural, vulnerable patients, language, disease
    • Exposure Determination Assessment & Exposure Control Plan
    • Environment of Care Assessment (equipment inventory, safety, security, hazardous materials and waste, fire safety, medical equipment, utility systems)
    • Human Resources – employee job descriptions, roles and responsibilities, competencies
    • Hazard Vulnerability Analysis – all hazard approach including Emerging Infectious Diseases (EID’s).
  • Next, organize multi-disciplinary / inter-disciplinary teams to review all required written plans (note: CMS requires 134 written items and there are approximately 1,058 must have items).
  • Proceed with staff education on what a risk assessment is, when they can be used and how they impact patient care.
  • Ensure that risk assessment tools contain methods for:
    • Identification of risk potentials – high risk, problem prone, high volume issues;
    • Prevalence or severity of potential risk area;
    • Probability of the issue or event impacting the organization;
    • Impact of the issue or event will have on operations of the organization;
    • Area to document actions that will be or have been taken;
    • Area to mitigate or reduce risk associated to risk area;
    • Identified responsible person, group or committee;
    • Reporting method to leadership, medical staff or governance.
  • Ensure documentation exists to show that leadership, medical staff and governance have participated in or have received information related to risk assessments. Leadership is responsible for initiatives that develop a culture of safety and provide resources for patient care activities.


Risk assessments are expected by CMS, TJC, other accrediting agencies and regulatory bodies even though they may not be mentioned directly in regulations. Surveyors will expect to see completed risk assessment on items that carry risk within an organization or those that are required.  These assessments can range from: placement of eye wash stations – storage of hazardous waste – isolation precautions – food storage – patient flow through the admitting process to the continuity of operations in the emergency management plan.  We must remain vigilant that risk assessments are not all driven by CMS or by The Joint Commission.  Some assessments are required to be performed by other government and pseudo-government agencies.  Take for instance food and drink in work areas (OSHA requirement).  The organization is required to complete an exposure determination assessment.  This determination is then used in developing the exposure control plan.  This plan flows into the infection prevention and control plan (IPCP). The IPCP should ensure that the organization has specific locations where it is acceptable for staff to have food and beverages.   Eating and drinking in non-patient care areas can still have an impact under the safe work environment and slip / trip hazards under OSHA as well.

Remember, risk assessments can reduce the risk appetite if they are effective, complete and updated frequently.  For more information on risk assessments, tools and assessment processes visit the American Society for Healthcare Risk Management (ASHRM) at www.ashrm.org;  there are many free tools and related documents that are very helpful.


  1. Institute of Risk Management – 2019 https://www.theirm.org/knowledge-and-resources/thought-leadership/risk-appetite-and-tolerance.aspx
  2. American Society for Healthcare Risk Management (ASHRM); ashrm.org
  3. State Operations Manual (SOM), Appendix A – Survey Protocol, Regulations and Interpretive Guidelines for Hospitals. December 2018
  4. Joint Commission – CAMH – HAP 2019
  5. CMS Language Access Plan tool; https://www.cms.gov/About-CMS/Agency-Information/OMH/Downloads/Language-Access-Plan-508.pdf

CMS Roadmap to the Opioid Epidemic https://www.cms.gov/About-CMS/Agency-Information/Emergency/Downloads/Opioid-epidemic-roadmap.pdf

James Ballard

Author James Ballard

More posts by James Ballard