Industry Voices—Healthcare officials are required to plan for potential workplace violence. Here's what they need to consider

A physician in scrubs in a hospital hallway
CMS is deploying inspectors to ensure health institutions are compliant with rules that require annual all-hazards risk assessments and two annual training sessions. (Getty/NanoStockk)

When the Federal Register posted the final details of the Centers for Medicare & Medicaid Services’ (CMS) Emergency Preparedness Requirements in September 2016, it was the beginning of a profound regulatory change for healthcare providers and suppliers

The regulation established “national emergency preparedness requirements to ensure adequate planning for both natural and man-made disasters,” as well as “coordination with federal, state, tribal, regional and local emergency preparedness systems" by Nov. 15, 2017.

The upshot is that any medical institution that wishes to continue receiving reimbursement from Medicare and Medicaid programs had to have what amounts to a yearly all-hazards risk assessment. This includes detailed emergency planning and preparation for a variety of disaster and emergency circumstances.  It also includes two mandatory annual training sessions (one for active shooter response and another as a table exercise/review session). 

Keith Noble (Pinkerton)

It’s important to note that every facility must have this assessment and must conduct this annual training—not just a large hospital, but all associated facilities.

RELATED: After a tragic shooting on a Chicago hospital campus, officials look at lessons learned

Workplace violence and security is a particularly urgent and relevant topic in healthcare, not just as a regulatory concern, but as a pressing public health and safety issue. While FBI statistics reveal that healthcare facilities account for only 3% of active shooter incidents, an astonishing 45% of all workplace violence incidents occur in the healthcare industry, with 40 to 75% of healthcare workers reporting having suffered physical or verbal abuse from a patient or their family.

With that in mind, familiarizing yourself with the accepted best practices for properly creating and implementing a sufficiently protective and comprehensive workplace violence prevention program should be an urgent priority for healthcare executives, decision-makers and facility management/operations professionals.

RELATED: To combat workplace violence, step up reporting systems

There are six primary steps in conducting an all-hazards assessment and developing and implementing a robust security program, including:

Risk assessment

The first step is a comprehensive risk assessment, which should—like the steps that follow—ideally be conducted with the guidance and supervision of a trained security partner. The risk assessment evaluates the current security state of the facility, determining exposures, weak points and vulnerabilities.

RELATED: Joint Commission: 7 steps providers can take to prevent workplace violence 

Hospitals are necessarily accessible, which makes them vulnerable, almost uniquely so. A professional risk assessment should include both structural risk (fire, tornado, hurricane, etc.) and variable risk (based on the specific design, operation, functionality and current security setup of a specific facility). Every facility is very different. There are no shortcuts in this process. A comprehensive risk assessment is required to attain the deep, foundational understanding of structural and variable risk for every individual facility.

Impact Analysis

Once you have a detailed understanding of the threat landscape, the next step is to put those threats in context and conduct an impact analysis to evaluate what the real-world implications would be if any of those threats were to manifest themselves. An impact analysis can help inform smarter and more strategic decisions about how to deploy resources, and which vulnerabilities most urgently need to be addressed to protect both patients and medical personnel.

Solution design

The specific design of a robust security solution can vary widely from one facility to the next. Part of that solution might involve measures like security cameras and security professionals at entrances and other critical access points, but traditional threat deterrents and security measures can be much less effective in addressing workplace violence–where the perpetrators are almost always already inside the facility.

For example, a workplace violence action plan should include targeted training on how to de-stress and de-escalate volatile people and situations, and security infrastructure at interior access points (which might be just as important—or even more so) than security at main entrances. Each unique solution will include tailored recommendations tied to the physical security of each facility, and will account for specific factors, such as the surrounding neighborhood, and the layout and design of the facility. Prepackaged ready-made solutions are both inadequate and unsafe.

Because workplace tension can be a toxic precursor to workplace violence, an effective and responsive employee reporting and action plan should be a part of any comprehensive security solution. Employees need to be aware, active and fully engaged participants in the security program. They need to take ownership and not hesitate to report odd circumstances or suspicious or concerning behavior. And, when they do report that type of behavior, have confident measures in place for leadership to effectively deal with these situations.


The implementation process should be coordinated between the hospital and security professionals. While logistical and operational factors may influence the rollout, implementation is typically conducted in a phased approach that focuses on Tier One priorities before moving on to less critical issues.

Benchmarking and testing

After the security program has been formally implemented, the institution/facility and its security partners can conduct a benchmarking analysis—as well as follow-up testing and measurement—to ensure that new systems and procedures are working effectively. If necessary, minor adjustments and changes can be made at this time.

Training and reinforcement

Once a healthcare entity has engaged a security consultant to conduct an analysis and design and implement a comprehensive solution, it’s essential that this policy is not left on a shelf. It must be a “living” document. It must be reinforced and lived every day. It demands training—and that starts from the top-down. Corporate leadership must take ownership and design and drive the training program, ensuring participation and employee communication and engagement. Short of that, individual facilities will inevitably fail to comply and will be ill-prepared to respond to an emergency.

When properly designed, implemented and maintained, these plans, in addition to satisfying a demanding new regulatory mandate, will inevitably increase safety and security for staff and patients alike.

Furthermore, said efforts will also give medical professionals the tools they need to defuse potentially dangerous situations and help them to more effectively respond to crisis events.

Keith E. Noble, Ph.D., serves as the Miami Office Director for Pinkerton, the world’s leading provider of services and solutions that help organizations identify and mitigate noninsurable risk. Pinkerton has extensive experience supporting Fortune 1000 enterprises and other public/private institutions to develop and implement workplace violence and active shooter mitigation strategies. For more information, visit