Health-Care Security and Regulations: A Thorny Balancing Act

End-User Insider is a new monthly column featuring security managers from across the vertical market landscape who will share their unique perspectives and provide “voice of the customer” input.

The Joint Commission. Centers for Medicare & Medicaid. OSHA. None of these agencies are particularly frightening or controversial by themselves. But in context, they take on wholly different meanings. For example, the reaction to “the Joint Commission is issuing a new paper” is remarkably different to “the Joint Commission is pulling into the parking lot.”

In a hospital or health-care environment, there are a tremendous number of regulatory agencies that facilities have to deal with on a routine basis. Failure to comply with seemingly countless rules and procedures could have disastrous results for the organization. In this column, we will identify a few of the more common health-care regulatory agencies; who they are and how they impact anyone with security responsibilities within the facility (from practitioners to systems integrators to vendors and manufacturers).

See the Forest Through the Trees

Many times a certain regulation or standard might not be nearly as cut and dry as we would like in the security world (few things rarely are). But by having a basic understanding of the intent of the standard or regulation, and not just the verbiage alone, we can better navigate potential pitfalls and improve the security and safety of organizations by meeting both the letter and the spirit of the rules.

For example, a new Joint Commission update went into effect on July 1 in which the Sentinel Event Policy has been expanded to include events affecting staff, visitors and even vendors and contractors who are on the premises of the health-care organization. (Note: The Joint Commission defines sentinel event as, “an unexpected occurrence involving death or serious physical or psychological injury, or the risk thereof. The phrase ‘or the risk thereof’ includes any process variation for which a recurrence would carry a significant chance of a serious adverse outcome.”)

On the face of it, this appears to be more of a clinical or administrative issue, and many in the health-care security industry might suggest this doesn’t involve security. Consider, however, the change of policy regarding events the Joint Commission perceives as “reviewable” for the purpose of investigating a sentinel event, include: Abduction of any patient/resident/individual served receiving care, treatment and services (think infant protection systems, wander alerts, access control systems); sexual abuse/assault (including rape) of any patient/resident/individual receiving care, treatment and services (think CCTV for parking areas, duress/panic alarms, lighting); and assault (leading to death or permanent loss of function) or homicide of a staff member, licensed independent practitioner, visitor or vendor while on site at the health-care organization.

Now do you think this might impact our industry? Especially when the root cause analysis after such an event will likely review not just security procedures but the availability and functionality of any electronic security countermeasures that were in place, including their design and implementation? The Joint Commission members put it well when they wrote: “An organizational culture of safety would encompass all people within an organization and not just one group (that is, patients, residents or individuals served). The revision to the Sentinel Event Policy supports this principle by not differentiating in its processes and by ensuring a robust review, regardless of who the victim is, of any sentinel event. As with all activity involved in root cause analyses, the aim is to learn as well as to improve.”

This is a great sentiment that I am sure we all endorse, but as security professionals we need to work harder at understanding the why and not just the what and how. By having a deeper understanding of security’s role as it relates to existing regulations, regardless of the industry, we can improve not just the quality and delivery of products and services but truly become a key component in fulfilling the mission of our customers and their organizations.

Challenging, indeed, but anything worthwhile usually is.

Bryan Warren, MBA, CHPA, CPO-I, is Director of Corporate Security for the Carolinas HealthCare System in Charlotte, N.C.


If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.

A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!

Subscribe Today!

Get Our Newsletters