The Joint Commission and Healthcare Security: Knowns, Known Unknowns and Unknown Unknowns
You’d be surprised at how many standards (Joint Commission and otherwise) could apply to your hospital’s security program.
As healthcare security practitioners we have all heard of and have a healthy respect for the Joint Commission (or the Joint Commission on Accreditation of Healthcare Organizations, JCAHO) and their standards. Many of our facilities and organizations must meet these standards in order to receive accreditation and eligibility for federal funding and reimbursement. Other accrediting agencies include Det Norske Veritas and the Healthcare Facilities Accreditation Program (HFAP), but we will focus on the Joint Commission for now.
Before JCAHO became the Joint Commission, there was a specific and separate set of standards regarding security in the healthcare environment, but these security standards were combined with the safety- standards in 2009. One of the results of this was a simplification of the security-specific verbiage as it was merged with safety related standards. This also resulted in the somewhat confusing issue of where to find information as related to certain aspects of the healthcare security function. There are numerous security related standards that can affect hospitals and healthcare, but many of these are not where you would expect to find them in the current Joint Commission standards.
For the purposes of this article, I would like to characterize the standards that can impact security as “Knowns” (those that are in the security/safety standards section and are easily located); “Known Unknowns” (those that are not in the traditional security and safety standards but are somewhat easy to find in other standards, such as the Emergency Management and Medication sections); and then “Unknown Unknowns” (those standards that are somewhat obscure in nature and that many healthcare security practitioners would not readily recognize as having a direct impact upon their programs, such as the human resources and leadership sections).
Some of the “known” standards that most of us are familiar with include EC.01.01.0: “The hospital has a written plan for managing the following: the security of everyone who enters the hospital’s facilities.” This is the basis and requirement for your security management plan, and it is affected by another Joint Commission standard, namely EC 04.01.01, 15. That standard reads: “Every 12 months, the hospital evaluates each environment of care management plan, including a review of the plan’s objectives, scope, performance, and effectiveness.” So, to recap, you need a written security plan for all persons entering your facilities, and this plan must be updated and reviewed at a minimum annually for content and effectiveness.
Several other known standards include all security-related portions of EC 02.01.01: “The hospital manages safety and security risks,” which include such elements of performance as:
- “The hospital takes action to minimize or eliminate identified safety and security risks in the physical environment.”
- “The hospital identifies individuals entering its facilities.”
- “The hospital controls access to and from areas it identifies as security sensitive.”
- “The hospital has written procedures to follow in the event of a security incident, including and infant or pediatric abduction.”
- “When a security incident occurs, the hospital follows its identified procedures.”
It is very interesting to note that while there are many different topics and issues covered by this one standard, it is in no way prescriptive. The Joint Commission does not give any indication as to how you are to implement any of these mitigation techniques, only that they need to be done. For example, how you identify visitors entering your facility (color coded self-expiring badges, electronic scans of photo ID, etc.) is up to you, so long as you have a process in place. Similarly, there is very little in the way of defining success of such standards (such as what exactly does “take action” mean in the first example?).
Another known standard includes EC 04.01.01: “The hospital establishes a process(es) for continually monitoring, internally reporting and investigating the following: security incidents involving patients, staff or others within its facilities.” Other standards include, “Based on its process(es), the hospital reports and investigates the following: incidents of damage to its property or the property of others” and “security incidents involving patients, staff or others within its facilities.”