Executive Summary

​The roles of healthcare risk and quality professionals* are evolving in healthcare organizations. In the past, the two functions often operated separately, and individuals responsible for each function had different lines of reporting—an organizational structure that further divided risk management and quality. Today, risk management and quality improvement efforts in healthcare organizations are rallying behind patient safety and finding ways to work together more effectively and efficiently to ensure that their organizations deliver safe, high-quality patient care and continue to minimize risks.**

* The terms "quality improvement," "quality management," and "performance improvement" are used interchangeably in the healthcare literature. This Risk Analysis generally uses the terms "quality professional" and "quality manager."

** ECRI gratefully acknowledges the input provided by the following individuals in developing this Risk Analysis: Lee Hamilton, JD, MPA, RN, CPHQ, FNAHQ, PCMH CCE, senior consultant, Health APT, Selah, Washington, and Abraham Segres, MHA, CPHRM, FASHRM, vice president, quality and patient safety, Virginia Hospital & Healthcare Association.

Several initiatives in the last 15 years have helped to forge the alliance, starting with the Institute of Medicine's (IOM) 1999 report To Err Is Human: Building a Safer Health System, which underscored the need for healthcare organizations to monitor and learn from patient safety events (IOM To Err; Hutchinson et al.). The mandate to improve patient safety presented risk managers "with the opportunity to recreate our roles and also to use our existing skills to direct, mentor and lead the charge to improve patient safety within our organizations," said one risk manager (Gutman). Soon to follow was IOM's 2001 report Crossing the Quality Chasm, which said that healthcare safety and quality will not improve until systems of care are redesigned. "Trying harder will not work. Changing systems of care will," the report said. (IOM Crossing)

Joint Commission standards for patient safety, first issued in 2001, along with the organization's sentinel event policy and its ongoing initiatives for performance measurement, spurred organizations to act on IOM's recommendations and build better alliances between risk and quality professionals.

In the public sector, an increasing number of federal payment initiatives linked to healthcare quality have ensured that the combined efforts of risk and quality managers have the attention of healthcare leaders. These payment initiatives include value-based purchasing (i.e., Medicare payment enhancements to hospitals that meet specific quality targets), provisions to no longer pay the costs of certain hospital-acquired conditions, and financial penalties for hospitals with high rates of readmissions within 30 days of a patient's hospital discharge for the treatment of certain conditions.

In the private sector, numerous efforts to enhance healthcare quality have required a closer working relationship between risk and quality professionals to improve patient safety across the continuum of care. Initiatives include The Leapfrog Group's public hospital reporting initiatives to assist healthcare purchasers, the National Quality Forum's serious reportable events and recommendations of safe practices for healthcare organizations, and the National Committee for Quality Assurance's (NCQA) quality measures (called the Healthcare Effectiveness Data and Information Set, or HEDIS) for managed care.

Not only is a healthcare facility's quality-of-care data used to establish reimbursement rates, but it is also posted on the federal government's Hospital Compare website so that patients can use the data to select hospitals. The federal government also posts publicly available quality data for other healthcare providers, including long-term care facilities, physicians, home health providers, and dialysis facilities. Healthcare leaders recognize that poor-quality care can affect both the organization's bottom line and its reputation and that failure to integrate risk and quality efforts can imperil the organization's success.

Within this environment, risk and quality managers are doing more, but not always with additional resources. For example, organizations are adopting an enterprise-wide approach to risk and asking their risk managers to look beyond clinical risks to others, such as strategic and financial risks, affecting the organization. Quality managers are being asked to provide the data and analysis to support an increasing number of quality initiatives in both the public and private sectors. Risk and quality managers recognize that by collaborating to address overlapping issues and functions, they are more efficient in addressing shared interests and better able to focus on their distinct functions.

For these reasons—the need to redesign systems to enhance patient safety and the need to achieve operational efficiency—healthcare organizations are realigning their risk and quality activities. For example, some larger organizations are merging their patient safety, risk, and quality functions into one program, department, or institute. Although different individuals may be responsible for each area, they typically report to the same leader in the organizational hierarchy. In smaller organizations, risk and quality managers are better coordinating their efforts where they overlap to ensure better alignment of patient safety initiatives and use of limited resources.

Some organizations have also found advantages in using the legal protections granted by the Patient Safety and Quality Improvement Act of 2005 (PSQIA), as well as available state protections. These protections offer a framework to differentiate common and overlapping patient safety activities of risk and quality that can be performed within a legally protected environment from those activities that are performed separately outside federal and state legal protections.

Action Recommendations

  • Seek senior leadership support for aligning the patient safety, risk, and quality functions within the organization.
  • Ensure that the patient safety, risk, and quality activities are aligned with the strategic goals of the organization.
  • Assess current activities in patient safety, risk, and quality to clarify responsibilities and reduce duplication of effort.
  • Establish a structure that ensures that patient care activities are addressed in a coordinated manner involving the patient safety, risk, and quality functions.
  • Seek guidance to ensure that the structure for patient safety, risk, and quality activities maximizes legal protections while allowing for the flow of information across all functions.
  • Seek to coordinate and streamline process changes, data collection, data analysis, monitoring, and evaluation.
  • Learn from each other, capitalizing on the skills provided by each manager.
  • Periodically evaluate the roles of patient safety, risk, and quality as the organization's needs change.

Who Should Read This

Accreditation coordinator, Administration, Business office/finance, Chief medical officer, Corporate compliance, Human resources, Insurance, Legal counsel, Nursing, Patient safety officer, Quality improvement

The Issue in Focus

The discussion about integrating an organization's risk and quality activities is not new. Writing in 1990 about how rural hospitals are "doing more with less," a hospital risk manager and quality improvement professional described how risk management and quality assurance, as the functions was previously called, were using a collaborative approach to share data to enhance patient care. "Each needs the data collected by the other to perform their individual responsibilities and to truly affect the viability of the hospital," they wrote. (Nance and Koch)

The risk manager's and quality professional's musings from 1990 are not that different from their perspectives today about risk and quality collaboration. "Risk management . . . continues to work closely with . . . quality management programs to improve quality while reducing liability risk," a risk manager more recently wrote. (Ambookan)

In today's demanding healthcare environment, organizations cannot afford to return to what a 2007 monograph from the American Society for Healthcare Risk Management (ASHRM) bluntly described as the "silo mentality" that had once dominated risk management and quality practice. "Information is too rarely exchanged between risk managers and quality managers and collaboration is too often minimal or nonexistent," stated ASHRM's monograph, Different Roles, Same Goal: Risk and Quality Management Partnering for Patient Safety. (ASHRM "Different")

In the past, a typical organizational chart might have had risk management reporting to a chief operating officer or a legal department and the quality and patient safety activities reporting to a chief medical officer. The organization hierarchy did not allow for any coordination of risk and quality functions, nor did it allow for sharing of data.

The following hypothetical scenario illustrates how separate reporting structures and segregated activities for risk and quality can limit their success. Risk management could be examining a particular issue—an increase in emergency department (ED) claims, for example—without knowing that quality has begun a process to improve the discharge process. An analysis of ED claims might suggest to the risk manager that inadequate communication of discharge instructions at the time of the patient's discharge from the ED is contributing to the increase in claims. Separately, the quality manager's evaluation might find that printed discharge instructions are outdated and inconsistently used. Some physicians may even be writing their own instructions, increasing the variability in discharge instructions provided to patients. If the risk and quality departments are unaware of each other's findings, their attempts to improve communication between patients and ED staff may result in incomplete strategies. The problems cannot be fully solved without input from everyone involved in the discharge process. (Youngberg and Weber)

This type of segregated organizational structure and function, with risk and quality operating in different silos of the organization, evolved from quality and risk management's historical and cultural roots.

Risk Management's Transition

Until the mid-1970s, risk prevention activities in healthcare organizations were decentralized and informal. Safety management focused on the hospital's physical environment and security, and risk prevention activities related to patient care were generally the domain of nursing. Risk management did not emerge as a distinct profession in healthcare, primarily in the hospital environment, until the mid-1970s, when the number of malpractice claims against physicians and hospitals increased dramatically and settlements and judgments skyrocketed. The result was a lack of affordable malpractice and hospital liability insurance. In response, healthcare organizations created risk-pooling programs, such as hospital-owned captive insurance companies. Many of the new risk financing programs offered reduced premiums to hospitals that had a risk management program because the practice was expected to reduce claims. In 1977, the American Hospital Association also encouraged hospitals to implement risk management programs as a solution to malpractice problems, calling risk management the "science for the identification, evaluation, and treatment of the risk of financial loss" (Dankmyer and Groves; Holloway and Sax). This multistep approach to identifying, addressing, and mitigating risk is typically described as the risk manager's decision-making process.

From its start, risk management's focus was to protect the financial assets and reputation of the organization (Kuhn and Youngberg). Rather than focusing on the underlying system design faults that contributed to the error, the risk manager would focus on defense of the claim or the lawsuit that might follow. The risk manager accomplished this by documenting the event, meeting with staff involved to learn about the event, and counseling those involved in the incident to refrain from discussing the information with others. Discussions with patients involved in an adverse event were often "too brief and vague" (Kuhn and Youngberg).

The IOM report To Err Is Human: Building a Safer Health System "changed the conversation" about medical errors by saying that bad systems, not bad people, lead to the majority of errors and injuries in healthcare (Leape and Berwick). The report called for better analysis of errors and near misses in order to design changes into healthcare delivery to prevent errors. "Building safety into processes of care is a more effective way to reduce errors than blaming individuals," the report said (IOM To Err).

The patient safety movement encouraged risk management professionals to expand their focus to include a proactive, preventive approach and to use a systems approach to understanding errors. Rather than limiting their focus to managing the aftermath of an event, "risk management must be integrated into the system and processes of healthcare work" (Youngberg "Meeting"). The Joint Commission's patient safety standards, first effective in 2001, provided an impetus to organizations to realign their focus on patient safety. The standards helped to bring attention to the need for creating a culture of safety that promotes transparency and a willingness to learn from mistakes in order to enhance patient safety and prevent similar mistakes from recurring.

While Joint Commission standards do not typically drive risk management activities, the patient safety standards, many of which are found in the leadership chapter of the Joint Commission's hospital accreditation manual, created a more proactive template for risk management. Starting in 2015 edition, the Joint Commission devotes a chapter of its accreditation manual to patient safety systems. While the chapter does not establish new requirements for patient safety, it describes how facilities can use existing accreditation standards to improve patient safety (Joint Commission "Patient").

The accreditation standards support preventive and proactive loss control activities to enhance patient safety in addition to risk management's more typical activities in claims management and risk financing. This three-pronged description of the risk manager's functions (i.e., loss control, claims management, and risk financing) is the foundation of the classic textbook on healthcare risk management, Principles of Risk Management and Patient Safety, most recently updated in 2011 (Youngberg Principles).

Risk manager of today. Recent surveys of risk managers confirm that they are increasingly involved in the organization's patient safety work. Of the nearly 640 ASHRM members participating in a 2009 survey about staffing levels for risk management departments, 97% of respondents said that patient safety was either a primary or significant function for risk management; only 3% of survey respondents reported spending little or no time on patient safety (ASHRM "ASHRM 2009 Risk Management"). An earlier survey conducted in 1999 did not even list patient safety as a possible risk management function. Now, healthcare risk managers seeking designation from the American Hospital Association (AHA) as a certified professional in healthcare risk management must demonstrate an understanding of the combined topics of patient safety and clinical risk management in addition to four other areas. ASHRM is a personal membership group of AHA (AHA).

Most risk managers responding to the 2009 survey identified quality as an area where they have significant involvement (61%), and 22% identified the function as one of their primary activities. Nevertheless, 16% of risk managers said they have little or no involvement in quality activities.

Refer to Table 1. Top Activities for Risk Managers for a list of the principal activities identified by survey respondents as either their primary responsibility or one in which they have significant involvement.

In addition to the traditional areas of risk familiar to healthcare risk managers (i.e., patient care and worker safety risks), today's risk managers are taking a broader, enterprise-wide look at the risks faced by their organizations in meeting their mission to provide healthcare to their communities. For example, the organization must consider the risks of new business ventures, ranging from the acquisition of a physician practice to the decision to provide an emerging technology. Consequently, today's healthcare risk managers are borrowing the concept of enterprise risk management, initially developed in the business sector, to describe the diverse risks that they must address and manage.

For many risk managers, their involvement in patient safety and quality is a portion of their workload in an enterprise-wide approach to risk. Better coordination of their safety and quality activities with their colleagues who are also involved in these areas can help both achieve better results, as well as enable the risk manager to devote time to address other priorities.

For more information about the risk manager's role, refer to the Guidance Article The Role of the Healthcare Risk Manager: A Primer.

Quality's Transition

Hospitals' initial quality functions, first called "quality assurance programs," were applied in the healthcare setting (albeit informally) before risk management functions. Hospital committees comprising medical staff leaders and nursing supervisory personnel dealt with quality-of-care, physician, or nursing problems on an individual, ad hoc basis. To meet legal requirements for due process, hospitals began to impose structural requirements on both medical and nursing staff review committees.

By 1980, the Joint Commission established quality assurance standards as a formal, systematic program to measure the care rendered to patients against established criteria (Martin and Federico). Since then, the Joint Commission has incrementally revised the standards on quality, leading hospitals in the direction of integrated and coordinated hospitalwide efforts to continuously improve performance. The organization's performance improvement standards now represent a full chapter in its accreditation manuals, and it has fully integrated quality data collection and reporting into the accreditation process. For more information on the Joint Commission's and other organizations' programs for quality reporting, refer to the Guidance Article Quality-of-Care Measures.

In the late 1980s, NCQA worked with corporate purchasers of healthcare services to develop standards to measure quality across health plans. With HEDIS, NCQA's quality standards for health plans, quality measurement became a growing area of the quality professional's responsibilities. The Joint Commission and the Centers for Medicare and Medicaid Services followed with requirements for healthcare facilities to collect and report performance data. (Chassin and O'Kane)

According to the National Association for Healthcare Quality, the professional society for healthcare quality managers, a healthcare organization's quality manager may be involved in activities such as the following (NAHQ "Code"):

  • Establishing specific quality-related goals to measure the organization's processes and outcomes
  • Administering programs that focus on improved outcomes of patient care or healthcare delivery systems
  • Providing consultative services to departments and services in the organization to assist in achieving regulatory, accreditation, and organizational compliance in quality and performance improvement activities
  • Acting as a change agent to identify opportunities to improve, resolve problems, and evaluate the effectiveness of changes
  • Promoting proactive, rather than reactive, quality efforts
  • Leading teams that identify root causes of problems rather than focusing on individuals
  • Establishing patient satisfaction, including satisfaction with the care experience, as a primary goal for the organization's quality activities

Like AHA and ASHRM, NAHQ also requires that individuals seeking certification as a professional in healthcare quality must demonstrate an understanding of patient safety; it is one of four areas covered in NAHQ's certifying exam. (NAHQ "Certified")

Several of the activities, such as identifying opportunities for improvement, promoting proactive approaches, and identifying root causes of problems, overlap with those of the risk manager. Just as coordinating these overlapping activities helps the risk manager, so too does the quality manager benefit in achieving better results by bringing the two disciplines together and also in freeing time to complete their many other responsibilities.

Many of the principles and frameworks for quality improvement used in healthcare today were originally laid out by quality experts in manufacturing. For example, one model for assessing and improving quality used in healthcare today—called the Plan-Do-Check-Act model or Plan-Do-Study-Act model—was developed by Walter A. Shewhart and W. Edwards Deming to establish quality control measures for manufacturing (Dlugacz et al.). Other models for continuous quality improvement are similar to the one used by risk managers to guide decision making, further underscoring the shared aspects of the two disciplines (refer to the discussion Streamline Activities for a description of those models).

Healthcare organizations' application of the quality improvement approaches originally developed for industry continues today. Concepts currently popular in healthcare quality initiatives, such as Lean management (i.e., removing unnecessary steps in a process) and Six Sigma (i.e., eliminating the root causes of defects and errors in a process), were first developed for manufacturing processes at Toyota and Motorola, respectively.

Quality professional of today. In the years since IOM's seminal reports To Err Is Human and Crossing the Quality Chasm, hospital activity to improve quality has increased, according to a Health Research and Educational Trust issue brief summarizing a 2006 survey of 470 hospital chief quality officers or designated lead quality managers (HRET). The survey found that 93% of responding hospitals reported that quality improvement was explicitly declared a priority in the organization's strategic and/or business plans. Whether the results reflect all hospitals' experiences is unclear because the survey authors found that the responding facilities tended to embrace quality improvement efforts—as measured by their high performance in publicly reported quality measures on the federal government's Hospital Compare website. (Cohen et al.)

The study describes the role of the quality professional of today as very involved with nationally prominent quality activities, including several that promote public reporting of hospital-specific quality measures. These initiatives include the following:

  • The Joint Commission's core performance measurement activities, which use standardized performance measures for specified conditions such as heart attack, heart failure, pregnancy, and pneumonia
  • The federal government's Hospital Inpatient Quality Reporting program, which gives hospitals a financial incentive to report certain hospital performance data, some of which is made available to consumers on the Hospital Compare website
  • Pay-for-performance initiatives adopted by the federal government and other third-party payers
  • The Surgical Care Improvement Project, a national quality partnership to monitor surgical complications, such as infection and venous thromboembolism

The study was limited to quality initiatives in hospitals, although these initiatives extend across the continuum of care to nursing homes, home healthcare, ambulatory clinics and physician offices, surgical facilities, and managed care.

Patient Safety

Healthcare organizations struggle with where in the organizational structure patient safety activities should fall. Are they the responsibility of risk or quality? Or should they be housed in their own department devoted to patient safety? (Youngberg Principles).

ECRI Institute views patient safety as one of several intersecting activities of the risk and quality functions. Patient safety enables risk and quality programs to proactively examine care processes and risks and apply patient safety principles (e.g., human factors, systems thinking, just culture, transparency) to ensure the best outcomes for patients. Patient safety approaches also allow the risk and quality functions to dissect errors retroactively and apply the same principles of system redesign to minimize the errors' reoccurrence.

While the risk and quality functions may vary in organizations, a suggested delineation of their activities is depicted in Figure. Risk and Quality Functions Overlap in Patient Safety. Note that many of their overlapping activities promote patient safety.

​Figure. Risk and Quality Functions Overlap in Patient Safety

View as PowerPoint slide



As an example of separate and overlapping efforts, consider an organization's approach when a serious safety event such as a sentinel event, as defined by the Joint Commission, is identified through risk management reporting channels. Both quality and risk are involved in the response. While each program may separately address matters related to the event, they also share responsibilities and a common goal for the organization to provide safe, high-quality care. Both may need to review the medical record, although for different purposes. The risk manager looks at the record to determine whether the organization may be responsible or liable for an injury; the quality professional reviews the record to get more information about the event and how it occurred. The risk manager assists with the disclosure of the event to the patient and family and, if appropriate, alerts the insurance carrier to a potentially compensable event.

Both quality and risk are involved in conducting a root-cause analysis of the event. Either the risk or quality manager leads the team that conducts a root-cause analysis of the event; the other manager participates on the team. Both help to prepare an effective, sustainable, and enterprise-wide action plan for preventing similar events. The quality professional prepares a timeline to implement an action plan and suggests metrics for monitoring the plan's impact on patient outcomes. If the desired change is not achieved, the quality manager recommends further analysis—involving the risk manager and others—to develop strategies to achieve the desired outcome.

The Joint Commission's leadership standards suggest a framework for overlapping risk and quality activities by requiring that, at least every 18 months, organizations select a high-risk process and conduct a proactive risk assessment of the process to correct process problems and prevent adverse events (Joint Commission Comprehensive). The quality professional can identify high-risk processes based on patient outcomes data, and the risk manager can identify high-risk processes from event report or claims data. The risk and quality managers jointly participate in the proactive risk assessment because they bring their skills in identifying ways in which a process can break down, redesigning the process, and testing the redesign to minimize risk to patients. Once a new process is adopted organization-wide, the quality manager can measure and evaluate the effect that the new process has on patient outcomes, and the risk manager can monitor whether the new process reduces adverse events related to the process.

Regulations and Standards

In addition to federal initiatives in quality and patient safety, various state regulations can affect the organization's approach to patient safety, risk, and quality. For example, the National Academy for State Health Policy reports that 26 states plus the District of Columbia require adverse event reporting by healthcare facilities (Rosenthal and Takach).

Some states stipulate that a healthcare organization designate certain responsibilities to an individual or department. In Pennsylvania, for example, the Medical Care Availability and Reduction of Error Act requires that healthcare facilities appoint a patient safety officer with responsibility for the following (2002 Pa. Laws 154, No. 13):

  • Serving on a patient safety committee
  • Ensuring the investigation of event reports defined by the statute as "serious events" and "incidents"
  • Taking action to ensure patient safety as a result of the investigation
  • Reporting to the patient safety committee any actions taken to promote patient safety as a result of the investigation

Some Pennsylvania hospitals have identified the patient safety officer as a dedicated position; others have assigned the role to individuals with other responsibilities, such as risk and quality management (Pennsylvania Patient Safety Authority).

Some states' requirements focus on internal risk management programs, with attention to worker safety, physical facilities, clinical risk management, risk financing, or a combination of the above. Florida, for example, requires internal clinical risk management programs and stipulates that all facilities hire a "licensed" risk manager. (Fla. Stat. § 395.0197)

Accrediting organizations can also influence the organization's approach to patient safety, risk, and quality. For example, hospitals accredited by the Joint Commission must designate one or more qualified individuals or an interdisciplinary group to manage an organization-wide patient safety program (Joint Commission Comprehensive). The standards do not specify the qualifications of the individual who must manage the organization's patient safety program. If the organization has a patient safety officer, the responsibility will likely fall to that individual. In other facilities, the responsibility might be assigned to the risk or quality manager.

Another accrediting group, DNV GL Healthcare, requires accredited facilities to maintain a quality management program, with interdisciplinary representation from patient safety, risk, quality, and others. DNV GL's program, National Integrated Accreditation for Healthcare Organizations, incorporates the ISO 9001 quality management system standard and includes provisions for risk identification and assessment; quality measurement, monitoring, and analysis; and patient safety (DNV GL Healthcare).

Statutory Protections

Strategies to ensure the synergy of risk and quality programs will require organizations to consider a structure for shared communication and analysis suggested by PSQIA or by their state peer-review protections. Although state peer-review statutes vary, concerns about compromising peer-review protections by sharing certain information—such as information related to a physician's competence—sometimes create barriers in the sharing of information between risk and quality professionals.

Consider a 2007 Ohio court of appeals opinion in a malpractice lawsuit involving a physician charged with negligence in diagnosing and treating the plaintiff's ovarian cancer. While the documents used to evaluate the competence of the physician were protected under peer-review laws, other information contained in risk management files, such as patient complaints about the physician, was not created for peer-review purposes and therefore was not protected from discovery, the court said. (Legg v. Hallet)

In the case, the plaintiff charged the hospital with negligence in credentialing the physician and sought hospital documents, such as the physician's credentialing file and complaints lodged against the physician, to support her case. While the court agreed that peer-review material pertaining to the physician's competence was protected by a legal privilege of confidentiality, it reasoned that "any complaint documents contained in such [risk management] files that were not prepared by or for the use of [the hospital's] peer review committee are subject to discovery and may be obtained . . . even if the documents were produced or presented during peer review proceedings." Such concerns about ensuring the protections afforded by their state's peer-review statutes can prevent the sharing of sensitive and protected information between risk and quality departments.

Therefore, healthcare organizations will want to consider their state privilege statutes in building a framework that allows for more collaboration between risk and quality programs. The structure must maximize legal protections granted by the statutes while allowing for the flow of information across both functions (ASHRM "Different").

One framework to consider is offered by PSQIA, a federal law creating a national system for providers to voluntarily report medical errors, near misses, and other quality and patient safety information to designated organizations—called patient safety organizations (PSOs)—while having assurance that the information will be protected from legal discovery and will remain confidential. The act provides a broad grant of privilege from discovery for information that is considered "patient safety work product" and may provide greater protection from discovery than may be available under state law. The act also provides assurance that patient safety work product reported to a PSO will remain confidential.

The PSQIA enables healthcare organizations to establish a patient safety evaluation system as the mechanism for collecting, managing, and analyzing information to be reported to PSOs. As long as the information is collected with the intent of submission to a PSO, the patient safety evaluation system provides a protected environment for candid consideration and analysis of quality and safety information and is flexible and scalable to meet the needs of individual hospitals. It could serve as the framework for risk managers and quality professionals to conduct overlapping activities. Organizations will need to carefully evaluate the provisions of PSQIA and, with input from legal counsel, determine whether the framework suits some or all of their risk management and quality improvement activities.

There may be some activities—particularly provider credentialing and performance review—that the healthcare organization may not want to perform within the patient safety evaluation system. Once the information collected for the patient safety evaluation system is submitted to the PSO, it cannot be removed. So even though PSQIA permits an organization's credentialing and disciplinary proceedings to occur within the patient safety evaluation system, the hospital must consider the ramifications of this approach. Should a credentialing or disciplinary decision be challenged, a hospital would not be able to use its deliberations in court to defend its actions—unless all identified providers agreed to the disclosure—if the information is protected within the patient safety evaluation system.

For more information, refer to the Guidance Article Patient Safety and Quality Improvement Act.


Leadership Support

Action Recommendation: Seek senior leadership support for aligning the patient safety, risk, and quality functions within the organization.

Action RecommendationEnsure that the patient safety, risk, and quality activities are aligned with the strategic goals of the organization.

Organizations that are evaluating the alignment of their patient safety, risk, and quality functions must obtain the support of senior leadership for the initiative. Leadership's support provides the necessary senior-level endorsement and resources for their activities, helps to identify a senior leader or several senior leaders who are ultimately responsible for the activities, and establishes a culture for safety and collaboration that permeates throughout the organization. Leadership backing is also important for gaining employees' and clinical staff's support for the patient safety, risk, and quality programs.

Senior leaders will support an examination of the organization's various patient safety, risk, and quality when they are shown how the aligned efforts can have a positive impact on the organization, as in the following areas:

  • Ensuring that the goals of the patient safety, risk, and quality programs are aligned with the strategic goals of the organization.
  • Creating a high-reliability organization. Such an organization is able to reduce variability in patient care—and, thus, potential errors—through standardization; to take information learned from errors and near misses and provide feedback to staff to improve the delivery of care; and to support leadership's commitment to safety and excellence (AHRQ).
  • Achieving and maintaining regulatory compliance.
  • Enhancing the organization's reputation in the community.
  • Boosting the organization's bottom line by, for example, enabling the facility to obtain federal payment incentives tied to care quality.
  • Meeting accreditation standards, which hold healthcare leaders responsible for creating and maintaining a culture of safety and quality.
  • Reducing operational redundancies and enhancing efficiency within the organization by eliminating non-value-added activities.
  • Cultivating senior leaders' and boards of trustees' increasing involvement in quality and patient safety matters by supporting the collection of concise board-level data on important initiatives, such as patient satisfaction, quality improvement projects, infection prevention, adverse event management, and medication safety.

Additionally, some facilities and their boards of trustees are holding the chief executive officer and other senior executives ac­countable for meeting patient safety and quality goals by ensuring that some of their pay is tied to goal achievement (ECRI Institute). As these initiatives increase and are extended to employee performance expect­ations, the risk and quality functions will find widespread support for their patient safety efforts.

Inventory of Activities

Action Recommendation: Assess current activities in patient safety, risk, and quality to clarify responsibilities and reduce duplication of effort.

The process for building and implementing an integrated approach for the patient safety, risk, and quality functions is not unlike the approach that risk and quality professionals use with their respective functions, starting with an assessment of a particular issue to evaluate the potential options available to address that issue. ECRI Institute recommends that organizations conduct an assessment of their current approaches to risk, safety, and quality by looking at the activities they handle, identifying the individuals or departments with primary responsibility for those activities, and determining any other individuals or departments that contribute to the activity.

ECRI Institute has developed a tool to use for this assessment. ThePatient Safety, Risk, and Quality Inventory Tool lists various activities conducted by the patient safety, risk, and quality functions. While ECRI Institute's intent was to design a comprehensive list, some organizations may wish to modify the tool to add or delete functions. Some organizations may choose to identify additional individuals, such as an accreditation coordinator or corporate compliance officer, or departments, such as regulatory affairs, with responsibilities for the activities. When completing the tool, remember to consider all settings (e.g., ambulatory care, off-site ancillary services, continuing care) where services are provided by the organization.

Use the tool to ask whether the delineation of patient safety, risk, and quality functions is reliable and appropriately connected and to address questions such as the following:

  • Are there any areas where the responsibilities are unclear?
  • Are there areas where there is duplication of activities or redundant activities? Is there an opportunity to streamline these activities?
  • Are the different functions generating similar reports that could be streamlined into one report?
  • Are there areas where the responsibilities should be shifted to one of the other three functions or transferred to another department outside patient safety, risk, and quality?
  • Are there any non-value-added activities?
  • Are there any activities that are not currently performed by patient safety, risk, and quality for which they should assume responsibility?
  • Is the staff skill mix appropriate for the duties assigned or do staff need more training to acquire or further develop those skills?

As an example of what the inventory assessment could uncover, a hospital with a separate quality and risk manager may find that both individuals conduct their own event investigation but gather similar information. The assessment of these activities may prompt a discussion about whether there is an advantage to conducting the investigation jointly and, if so, how that can be done. There may be some aspects of the investigation that must be carefully confined to avoid jeopardizing legal protections that would affect who can and who cannot participate in that segment of the investigation.

An inventory assessment might also uncover duplication in other areas, such as patient clinical record reviews. Are different staff members assigned to review medical records to meet the objectives of various functions within the organization (e.g., occurrence screening, compliance with clinical processes, utilization review)? Could these tasks be accomplished by assigning one individual to review the record on behalf of all the staff members who are currently assigned to conduct these reviews?

As a clearer picture of activities and responsibilities emerges, ask whether the allocation of staff to the various functions is appropriate. Does the current allocation of staff time capitalize on the skills they can bring to the organization? Are any skills necessary for these activities missing and, if so, how can they be developed? Some healthcare organizations, for example, are finding that individuals with expertise in data analysis are increasingly needed to assist with their ever-growing demands for data measurement and reporting. Other facilities have found that individuals with expertise in human factors and systems engineering are needed to help with patient safety improvement projects. Are there individuals at the organization who already have this expertise, or is there a need to either provide training or hire individuals with these skills?

For some smaller organizations, where one person oversees the patient safety, risk, and quality functions, an analysis of staffing allocation can look at how the individual's time is allocated for these duties. Are there activities that are not getting the individual's necessary attention because of time limitations? The inventory might be helpful in highlighting the need for additional staff or the partial allocation of other staff members' time to assist with some of the activities.

Identify Structure​

Action Recommendation: Establish a structure that ensures that patient care activities are addressed in a coordinated manner involving the patient safety, risk, and quality functions.

Action Recommendation: Seek guidance to ensure that the structure for patient safety, risk, and quality activities maximizes legal protections while allowing for the flow of information across all functions.

Once an assessment of the patient safety, risk, and quality activities is complete, the organization can begin to consider the most appropriate structure for these functions. This might be accomplished by first assembling a core team to reach consensus on the findings from the assessment and to make recommendations for which functions should be realigned. A new organizational structure can then be outlined. Policies and procedures should be developed to operationalize the changes. Additionally, a plan should be in place for communicating the realigned approach to staff and explaining how the new structure can affect their day-to-day activities, such as the reporting of adverse events.

The following are sample approaches to align risk management and quality improvement strategies with a focus on patient safety. The sample approaches are based on case studies published in risk and quality journals; suggested approaches presented by ASHRM in its monograph Different Roles, Same Goal: Risk and Quality Management Partnering for Patient Safety (see Resource List); and educational presentations made at various professional meetings.

Because each organization is unique, facilities must choose the approach that works best for them. There is no single best solution for all organizations. Nevertheless, tips that are recommended by those that have gone through the experience of reconfiguring their patient safety, risk, and quality efforts may apply whether the organization is considering significant changes or simply minor tweaking of these functions. Four key suggestions are outlined here:

  1. Consider having the patient safety, risk, and quality functions report to the same senior executive in the organization to achieve better communication and decrease the likelihood of duplicative efforts. Also, by ensuring that the leader of the department is at the executive level, the organization's safety, risk, and quality activities will have the necessary attention of its senior leaders. Reporting to the same senior leader will not always ensure integration; therefore, the senior executive should create systems for reporting, collaboration, and coordination of functions that move beyond reliance on the leader to recognize opportunities for coordination.
  2. Position personnel within the patient safety, risk, and quality functions in close proximity to each other to facilitate an atmosphere of sharing and identification of efforts that may require joint input from staff from the various offices. Locating offices near each other will also foster more frequent communication among staff involved in patient safety, risk, and quality. Use communication tools such as web conferencing and instant messaging applications to promote information sharing.
  3. Leave egos at the door. Those who have realigned their patient safety, risk, and quality functions have warned that fear of change can be a barrier to integration (Youngberg and Weber). Anticipate conflict, and have strategies in place to manage it. Identify and work to develop the strengths that each individual brings to the unified effort. While compromises and open discussion will be necessary and some egos may be bruised, over time, the integrated effort will benefit from increased innovation, decreased duplication, enhanced quality, and better use of resources (Youngberg and Weber). Recognize, however, that individuals whose personal and professional goals are incompatible with the realigned structure may not weather the transition (Segres).
  4. Develop a communication plan for informing staff members who work outside the patient safety, risk, and quality area about the group's activities. Decide in advance who from patient safety, risk, and quality is assigned to educate staff about the group's initiatives. The designated spokesperson may vary depending on the activity.

Approach One

At small and medium-size community hospitals up to about 350 beds, the responsibility for patient safety, risk, and quality may be assigned to one person (Lynch). Depending on the organization, this person may have additional responsibilities such as infection prevention and corporate compliance. Since these institutions are more likely to be commercially insured, the individual may have less responsibility for some of the risk financing and claims management functions. Finding opportunities for synergy between risk and quality is, obviously, less of an issue for the individual who wears both these hats.

The individual should be visible in the institution and offer his or her expertise in preventing financial loss as well as improving patient care. The professional should proactively look for opportunities to apply risk and quality management skills to resolve system weaknesses and should strive to become the "go to" person for enhancing quality of care, ensuring patient safety, and minimizing losses to the organization. Additionally, the professional can serve as a resource for other nonclinical matters—such as regulatory directives from government agencies—that can affect the financial health of the institution and its ability to deliver high-quality care.

As an example, imagine that the occurrence screening system identifies a baby born with a low Apgar score. Because of the clinical nature of the event, while wearing the quality hat, this professional would want to investigate the case for evidence of substandard care as well as evidence of individual- or service-specific trends or patterns. Performance indexes would be sent to the medical staff office or clinical department director for review. If the investigation reveals patterns of substandard care, the professional's quality improvement expertise would be needed to identify, design, implement, and monitor interventions to address the issue. Wearing the risk management hat, this professional would open a file on the case as a potentially compensable event and would continue to use his or her risk management expertise to investigate the facts surrounding the particular case in anticipation of a possible claim or lawsuit.

Approach Two

In medium-size to large hospitals and medical centers with more than 350 beds, professionals such as risk and quality managers are more likely to specialize in their discipline and less likely to assume multiple job responsibilities (Lynch). At minimum, the two programs or departments should be sharing data on adverse events, peer review, and quality-of-care concerns (ASHRM "Different"). Additionally, representatives from the two departments should meet on a regular basis to address issues of mutual concern, such as patient safety matters.

As outlined in ASHRM's monograph Different Roles, Same Goal: Risk and Quality Management Partnering for Patient Safety, an excellent starting point for a collaborative model is outlining a process for responding to adverse and sentinel events. The ASHRM monograph describes one healthcare system's adverse event policy and outlines both the separate and then the combined responsibilities of risk and quality professionals in responding to an event and developing strategies to prevent recurrence of similar events. These separate and combined responsibilities are illustrated in Table 2. Sample Risk and Quality Activities in Response to an Adverse Event.

Another approach the risk and quality managers might use to better understand their shared goals is to participate in a mock tracer process to simulate one of the Joint Commission activities during an on-site survey. The tracer methodology selects a patient's chart to retrace that patient's care as the individual moved through the organization. The Joint Commission uses the tracer methodology to evaluate the organization's compliance with selected standards. Typically, surveyors select the record of a patient who received complex or multiple services. Risk and quality managers can use the activity to discuss the processes that are of concern to them, evaluate the completeness of the information available to them from the patient record and other data sources, identify any information gaps, and review any improvements that each considers necessary for improved patient care. The exercise can help each professional gain an understanding of the other's perspective and needs to accomplish their duties.

Some organizations with separate risk and quality managers have even found that by cross-training their managers in understanding the basic skills of the other, one manager can provide backup support in the other's absence due to vacation, sickness, out-of-office meetings, or management of a critical event requiring one of the manager's attention.

Approach Three

Some larger systems with multiple healthcare facilities have established institutes or a department in the organization dedicated to patient safety, risk, and quality (ASHRM "Different"). Various related functions or activities—all relocated to be near each other in the organization—are assigned to a group at the integrated system level, such as an institute, and report to a single leader, such as a chief executive officer, who can leverage their influence with the rest of the executive team and diffuse the safety culture across the organization.

Designated members of the patient safety, risk, and quality department should participate in weekly team meetings to ensure timely communication of important issues of mutual interest. Topics covered during these meetings might include the following: accreditation issues; patient complaint data; claims data; sentinel event response and opportunities for process improvements; federal, state, and local regulatory issues; and strategic planning. These meetings—which are separate from quality improvement and risk management committee meetings—offer an opportunity for the different groups and their team leaders to recognize common themes and opportunities for collaboration that might otherwise be overlooked. (ASHRM "Different")

A similar model for a combined quality and patient safety institute has been adopted by an Ohio-based not-for-profit health system with multiple hospitals, ambulatory care settings, and other services (Nadzam et al.). The institute's priority is "to create a culture of 'best practices,' ensuring optimal patient care in the safest environment." Departments housed in the institute include accreditation, clinical risk management, environmental safety, infection control, quality, quality data registries, and quality improvement (Cleveland Clinic).

When departments such as risk and quality work in silos, they might conduct inefficient dual investigations of events. Within a unified structure, risk and quality can better coordinate their evaluation of events. For example, in some organizations, risk management might address higher-risk events such as sentinel events, and quality might manage lower-severity events that lend themselves to trending. In other organizations, risk management might conduct the root-cause analysis, develop an action plan, and seek quality's input in developing target dates for implementing the action plan, identifying metrics to measure the effectiveness of the action plan, and assigning responsibility for implementation of the plan. Elsewhere, the risk manager, because of state protection statutes, may leave the sentinel event investigation to his or her quality colleagues to maintain those protections while collaborating on educating staff members on the findings from the investigation and providing training on the mitigation strategies identified to prevent
similar events.

As a new structure is developed, consider whether the realigned department requires new skills from its team members. For example, individuals from a siloed structure may be accustomed to working independently. In a realigned structure, staff may be required to demonstrate other skill sets, such as an ability to work in teams on collaborative projects. In addition, the merging of functions might call for staff members who previously worked alone to assume supervisory or management duties. It is imperative that such professionals be carefully selected and receive ample training and development.

Streamline Activities

Action Recommendation: Seek to coordinate and streamline process changes, data collection, data analysis, monitoring, and evaluation.

The approaches that risk and quality managers use to identify problem areas, implement changes, and sustain improvement are often similar. Refer to Table 3. Similar Approaches to Address Risk and Quality for a side-by-side comparison of the steps they each follow in approaching risk mitigation and process improvement. Recognizing the similarities in how they address organizational change, the risk and quality managers should approach their overlapping activities in a coordinated manner to avoid duplication while ensuring that their concerns are addressed.

For example, assume that the risk and quality managers are considering measures to evaluate the organization's discharge process. The quality professional may want to implement measures that largely focus on the efficiency and quality of the discharge process. Was a discharge coordinator assigned to handle the patient's care? How soon after the patient's admission did discharge planning begin? To what settings are the organization's patients discharged? If a patient was readmitted, how soon after discharge did the readmission occur? While these are important measures for evaluating the discharge process, the risk manager, knowing that dissatisfied patients are more likely to take legal action against a provider, may also want to collect additional patient satisfaction indicators known to be relevant in this specific type of event. By collaborating on their data collection and assessment efforts, the risk and quality managers can ensure that their evaluation and response to the discharge process not only meets their respective objectives but also ultimately meets the organization's mission to deliver high-quality, safe care.

As another example, consider how the collaborative effort of risk and quality helped a healthcare system improve the quality of care provided to hearing-impaired patients as well as ensure compliance with federal requirements under the Americans with Disabilities Act to provide effective communication for hearing-impaired patients. Risk management approached quality improvement about conducting a performance improvement initiative for services provided to hearing-impaired patients after noting an increase in the number of claims at its facilities for failing to provide sign language interpreting services to its patients. (Ambookan)

Further analysis by the quality professional found that the facilities with no claims activity in this area also had comprehensive programs in place for their hearing-impaired patient population. Their coordinated efforts identified the need for a full-time sign language interpreter, additional assistive hearing devices, posted signs informing patients of interpreter services, and more. The system reported that the quality of care provided to hearing-impaired patients improved, resulting in no more claims for failing to provide sign language interpreters. (Ambookan)

Some experts have suggested that risk and quality managers proactively evaluate a process in which they have a shared interest, such as discharge planning or the provision of services for the hearing impaired, to determine that their goals for reduced risk and improved care processes are met. Using a technique such as failure mode and effects analysis, they can evaluate a proposed process change to ask whether it can reduce risks and improve care quality while having no unintended effects on other risk, quality, and safety initiatives. (Martin and Federico)

Once a process is in place, the risk and quality manager should share in the evaluation and analysis of any data collected. If the information suggests the need for further changes, both the risk and quality manager, as well as any other stakeholders, should participate in decision making about improving the approach.

Coordinate Data Collection

Data is essential for risk and quality managers to perform their jobs. The risk manager analyzes information, such as potential and actual claims data and adverse event frequency and severity data, to identify areas for improvement that can reduce the potential for errors and patient harm. The quality manager uses record reviews, direct observations, and trigger tools to analyze the effectiveness of an organization's processes and to collect the necessary quality data required by accrediting and regulatory bodies. As healthcare systems continue to convert to electronic health records, the volume of data available to risk and quality managers is rapidly growing.

By knowing how each is collecting and using data, risk and quality managers can support the other's activities as well as ensure the synergy of their efforts. Given the time demands for risk and quality managers, all of these professionals benefit from avoiding duplicative and overlapping efforts.

ECRI Institute recommends using thePatient Safety, Risk, and Quality Inventory Tool to identify the data and information collected for various activities and to examine how that information can enhance patient safety, risk, and quality efforts. How can information collected by one department enhance the efforts of other departments? For example, data that might be conveyed from quality to risk management could include provider-specific reports, department reports, minutes of peer-review activities involving potential liability issues (precautions must be taken to not jeopardize any legal protections under peer-review statutes), and results from quality improvement projects. Data that might be conveyed from risk management to quality could include information on specific claims brought against a particular service or for a particular reason during a specified period of time, event and near-miss report data uncovering problems not identified through other data sources, and safety management data related to preventing injury to patients, visitors, or staff during the performance of clinically related activities.

The sharing of data across activities should not jeopardize any protections granted by state provisions, such as peer-review privileges. If data collected by quality is used for protected peer-review activities, it cannot be further disseminated if it is to retain its full protections. ThePatient Safety, Risk, and Quality Inventory Tool can be used to distinguish between data and information that can be shared outside peer review and data that must remain within the confines of peer review to retain its legal protections.

Share Knowledge and Skills

Action Recommendation: Learn from each other, capitalizing on the skills provided by each manager.

Risk and quality managers can support each other by sharing their knowledge and skills. As an example, consider how each approaches data, which, when presented correctly, can be a powerful motivator for staff to sustain risk and quality initiatives. It is motivating for staff to staff see that a particular patient care initiative that they have implemented has led to patient care improvements. When they see firsthand the positive results, they are more likely to embrace that change rather than return to older, less effective practices.

But the data must be presented in a "relevant and credible context" to engage physicians and other caregivers in the organization's patient safety and quality improvement efforts (Martin and Federico). Although claims data has been a rich source of information for risk managers who want to focus on certain high-risk areas in an organization, the information obtained from these reporting systems is often insufficient to bring about change (ASHRM "Data").

Instead, the organization will benefit from a systematic approach to data collection and analysis typically used by quality professionals. They are familiar with techniques for data analysis and presentation of information in digestible formats, such as flowcharts, control charts, and Pareto charts. These approaches can be used to present credible, evidence-based recommendations to support change that benefits patient safety in an organization.

Conversely, risk managers can provide a unique perspective in assisting quality managers with the public release of hospital-specific quality data. For example, risk managers can review the data before the information is posted publicly, with an eye toward any possible unintended use of the data, such as by plaintiff attorneys, or any possible negative impacts to the organization's reputation.

Monitor Effectiveness

Action Recommendation: Periodically evaluate the roles of patient safety, risk, and quality as the organization's needs change.

Improved collaboration between risk and quality can contribute to an organization's success in enhancing patient safety and minimizing patient harm. The organization will realize other benefits from this collaboration, such as improved communication among groups, less duplication of effort, and better coordination of activities. Whether the collaborative activity is undertaken by an individual, by outlining coordinated approaches through organizational policy, or by aligning the patient safety, risk, and quality activities in one department, organizations that adopt these approaches will benefit. Certainly, they will be better positioned to respond to IOM's call to find system solutions to prevent and mitigate patient harm.

Notwithstanding the many benefits of a coordinated approach, healthcare organizations should periodically evaluate the role of patient safety, risk, and quality as their needs likely change over time. These changes may ensue as organizations respond to external factors, such as new regulatory initiatives, or to internal factors, such as staff changes and organizational restructuring. Organizations can benefit from these changes because they prompt staff to question why things are done a certain way and to look for new ways to collaborate with the common goal to achieve higher levels of healthcare quality and safety.

As they would approach any process improvement or risk reduction initiative, risk and quality managers should routinely evaluate their organizational structure and their approaches to collaboration and communication to determine whether they are achieving their desired results. If they are not, they should be prepared to revisit their approach to identify better ways to achieve their goals. Periodically revisiting their structure and workflow is a vital part of continuously improving the organization's patient safety, risk, and quality approaches.




2002 Pa. Laws 154, No. 13. Medical Care Availability and Reduction of Error (Mcare) Act. Also available at http://patientsafetyauthority.org/PatientSafetyAuthority/Governance/Documents/act_13.pdf

Agency for Healthcare Research and Quality (AHRQ). Becoming a high reliability organization: operational advice for hospital leaders [online]. 2008 Apr [cited 2014 Oct 8]. http://archive.ahrq.gov/professionals/quality-patient-safety/quality-resources/tools/hroadvice/hroadvice.pdf

Ambookan M. An integrated delivery system's approach to identifying and reducing risk. J Healthc Risk Manag 2003 Spring;23(2):27-32. PubMed: http://www.ncbi.nlm.nih.gov/pubmed/15825470

American Hospital Association (AHA). Certified professional in healthcare risk management: candidate handbook and application [online]. 2014 Jun [cited 2014 Oct 20]. http://www.aha.org/certifcenter/files/CPHRM%20Handbook%20June%202014.pdf

American Society for Healthcare Risk Management (ASHRM):

ASHRM 2009 risk management facility staffing survey: summary of findings [special report online]. 2010 [cited 2014 Sep 17]. http://www.ashrm.org/ashrm/resources/2009ASHRMstaffingsurvey.pdf

Data for safety: turning lessons learned into actionable knowledge [online]. 2008 [cited 2014 Oct 3]. http://www.ashrm.org/pubs/files/white_papers/Mono_ActionKnowledge.pdf

Different roles, same goal: risk and quality management partnering for patient safety [online]. 2007 [cited 2014 Sep 25]. http://www.ashrm.org/pubs/files/white_papers/Monograph.07RiskQuality.pdf

Chassin MR, O'Kane ME. history of the quality improvement movement. Chapter 1: In: March of Dimes. Toward improving the outcome of pregnancy III: enhancing perinatal health through quality, safety and performance initiatives [online]. 2010 Dec [cited 2014 Oct 20]. http://www.marchofdimes.org/materials/toward-improving-the-outcome-of-pregnancy-iii.pdf

Cleveland Clinic. Quality & Patient Safety Institute [website]. [cited 2014 Sep 25]. Cleveland (OH): Cleveland Clinic. http://my.clevelandclinic.org/about-cleveland-clinic/quality-patient-safety

Cohen AB, Restuccia JD, Shwartz M, et al. A survey of hospital quality improvement activities. Med Care Res Rev 2008 Oct;65(5):571-95. Also available at http://www.healthpolicyfellows.org/pdfs/MedicalCareResearchandReviewbyAlanCohenetal.pdf

Dankmyer T, Groves J. Taking steps for safety's sake. Hospitals 1977 May 16;51(10):60-2, 66. PubMed: http://www.ncbi.nlm.nih.gov/pubmed/863417

DNV GL Healthcare. NIAHO accreditation requirements and interpretive guidelines: acute care [online]. 2012 Nov [cited 2014 May 19]. Available with registration at http://dnvglhealthcare.com/registration

Dlugacz YD, Restifo A, Greenwood A. The quality handbook for health care organizations: a manager's guide to tools and programs. San Francisco (CA): Jossey-Bass; 2004.

ECRI. Incentives for patient safety: holding healthcare executives accountable. Risk Manage Rep 2008 Aug;27(4):1, 3-10.

Fla. Stat. § 395.0197 (2013). Also available at http://www.leg.state.fl.us/statutes/index.cfm?mode=ViewStatutes&SubMenu=1&App_mode=Display_Statute&Search_String=395.0197&URL=0300-0399/0395/Sections/0395.0197.html

Gutman ME. The risk manager's role in creating an organizational patient safety strategy. J Healthc Risk Manag 2001 Fall;21(4):13-8. PubMed: http://www.ncbi.nlm.nih.gov/pubmed/11729492

Holloway S, Sax A. AHA urges, aids hospitals to adopt effective risk management plans. Hospitals 1977 May 16;51(10):57-9, 66. PubMed: http://www.ncbi.nlm.nih.gov/pubmed/863416

Hospital Research and Educational Trust (HRET). Hospital quality improvement activities: a snapshot of the state of the art [online]. 2008 [cited 2009 Mar 4; link no longer available].

Hutchinson A, Young TA, Cooper KL, et al. Trends in healthcare incident reporting and relationship to safety and quality data in acute hospitals: results from the National Reporting and Learning System. Qual Saf Health Care 2009 Feb;18(1):5-10. PubMed: http://www.ncbi.nlm.nih.gov/pubmed/19204125

Institute of Medicine (IOM):

Crossing the quality chasm: a new health system for the 21st century. Washington (DC): National Academy Press; 2001. Also available at http://www.nap.edu/openbook.php?isbn=0309072808

To err is human: building a safer health system. Washington (DC): National Academy Press; 2000. Also available at http://www.nap.edu/openbook.php?record_id=9728

Joint Commission:

Comprehensive accreditation manual for hospitals. Oakbrook Terrace (IL): Joint Commission Resources; 2014.

Patient safety systems chapter [online]. 2014 Oct 17 [cited 2014 Oct 20]. http://www.jointcommission.org/assets/1/6/PSC_for_Web.pdf

Kuhn AM, Youngberg BJ. The need for risk management to evolve to assure a culture of safety. Qual Saf Health Care 2002 Jun;11(2):158-62. Also available at http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1743589 PubMed: http://www.ncbi.nlm.nih.gov/pubmed/12448809

Leape LL, Berwick DM. Five years after To Err is Human: what have we learned? JAMA 2005 May 18;293(19):2384-90. PubMed: http://www.ncbi.nlm.nih.gov/pubmed/15900009

Legg v. Hallet, No. 07AP-170 (Ohio Ct. App. Dec. 11, 2007).

Lynch K. The healthcare risk management professional. Chapter 5, Volume 1. In: Carroll R, ed. Risk management handbook for healthcare organizations. 6th ed. San Francisco (CA): Jossey-Bass; 2011:125-68.

Martin PB, Federico F. Risk management's role in performance improvement. Chapter 11, Volume 1. In: Carroll R, ed. Risk management handbook for healthcare organizations. 6th ed. San Francisco (CA): Jossey-Bass; 2011:285-300.

Nadzam DM, Atkins PM, Waggoner DM, et al. Cleveland Clinic Health System: a comprehensive framework for a health system patient safety initiative. Qual Manag Health Care 2005 Apr-Jun;14(2):80-90. PubMed: http://www.ncbi.nlm.nih.gov/pubmed/15907017

Nance D, Koch MW. Quality management in rural health care: integrating risk management makes a difference. Perspect Healthc Risk Manag 1990 Fall;10(4):25-9.

National Association for Healthcare Quality (NAHQ):

Certified professional in healthcare quality examination specifications [online]. [cited 2014 Oct 20]. http://www.nahq.org/uploads/2014_Content_Outline.pdf

Code of ethics and standards of practice for healthcare quality professionals [online]. 2011 [cited 2014 Sep 17]. http://www.nahq.org/uploads/files/about/codestandards.pdf

Pennsylvania Patient Safety Authority. A conversation with patient safety officers [online]. 2007 Mar [cited 2014 Oct 1]. http://patientsafetyauthority.org/NewsAndInformation/OtherPublications/Documents/Brochure_Conversation_2007_2.pdf

Rosenthal J, Takach M. National Academy for State Health Policy. 2007 guide to state adverse event reporting systems [survey report online]. 2007 Dec [cited 2014 Oct 20]. http://www.nashp.org/sites/default/files/shpsurveyreport_adverse2007.pdf

Segres A. Integrating patient safety and risk management: lessons learned. Remarks at: Annual conference and exhibition of the American Society for Healthcare Risk Management; 2007 Oct 10-13; Chicago (IL).

Youngberg BJ. Meeting the challenges of patient safety through the design of a new risk management process.
J Healthc Risk Manag 2001 Fall;21(4):5-11. PubMed: http://www.ncbi.nlm.nih.gov/pubmed/11729497

Youngberg BJ, ed. Principles of risk management and patient safety. Sudbury (MA): Jones & Bartlett Learning; 2011.

Youngberg BJ, Weber DR. Integrating risk management, utilization management, and quality management: maximizing benefit through integration. Chapter 4. In: Youngberg BJ, ed. The risk manager's desk reference. Gaithersburg (MD): Aspen Publishers Inc.; 1998:27-42.

Resource List

American Society for Healthcare Risk Management

Institute for Healthcare Improvement

Institute of Medicine

Joint Commission

National Association for Healthcare Quality

Pennsylvania Patient Safety Authority

Additional Materials

Table 1. Top Activities for Risk Managers* 

Primary Responsibility Significant Involvement
Risk identification and evaluation Environmental safety
Claims management Quality/performance improvement
Litigation managementEducation
Loss preventionEthics
Patient safetySecurity/privacy
Insurance program oversight Regulatory compliance

* The information is based on nearly 640 ASHRM members participating in a 2009 survey about staffing levels for risk management departments. Respondents were asked to indicate their level of involvement in 27 activities from the following choices: primary, significant, little/no involvement, and unknown. The activities listed are the top six areas, listed in descending order, for which respondents reported having either primary responsibility or significant involvement.

Source: American Society for Healthcare Risk Management (ASHRM). ASHRM 2009 risk management facility staffing survey: summary of findings [special report online]. 2010 [cited 2014 Sep 17]. http://www.ashrm.org/ashrm/resources/2009ASHRMstaffingsurvey.pdf


Table 2. Sample Risk and Quality Activities in Response to an Adverse Event 

Risk Management Quality Improvement Combined Activities of Risk and Quality
The risk manager is notified immediately upon identification of a possible adverse event. The risk manager ensures that staff involved in the incident submit an event report before the end of their shift.The quality manager initiates a chart review and establishes a timeline for the review.Risk management, quality improvement, and other designated individuals and departments begin an investigation within 24 hours of notification of the incident.
The risk manager secures the medical record and other documentation associated with the event, as well as any equipment, supplies, and related materials.The quality manager enlists another healthcare professional (peer reviewer) to examine the medical record.The risk and quality managers meet with the peer reviewer to discuss findings and their investigation of the event.
The risk manager provides immediate assistance to the individuals (patient, family, and staff) involved in the event. If appropriate, staff are referred for further counseling. As soon as possible, the risk manager notifies the quality improvement manager of the incident so that he or she can coordinate an investigation of the event.Quality improvement oversees a root-cause analysis if the event meets the definition of a sentinel event or if further analysis is deemed necessary.The risk and quality managers participate on a review team consisting of a senior leader, chief of staff, nurse executive, and others to review the preliminary investigation and determine whether the incident is a sentinel event and requires a root-cause analysis.
If the incident meets the reporting criteria defined by the organization, state, and/or accrediting agency, the risk manager notifies an executive leader of the incident.Quality improvement ensures that risk reduction strategies are identified from the root-cause analysis.After the root-cause analysis and action plan are completed, quality improvement, in conjunction with risk management, ensures that appropriate interventions are taken to prevent recurrence of the event.
The administrator-on-call, risk manager or other designee, and the attending physician coordinate communication about the incident with the patient and family.Quality improvement develops a plan for monitoring the effectiveness of these strategies. 
Risk management is kept informed of all corrective actions taken once the risk reduction strategies from a root-cause analysis are identified and implemented.Quality improvement monitors the effectiveness of the risk reduction strategies. 
Source: American Society for Healthcare Risk Management. Different roles, same goal: risk and quality management partnering for patient safety [online]. 2007 [cited 2014 Sep 25]. http://www.ashrm.org/ashrm/education/development/monographs/Monograph.07RiskQuality.pdf ​ ​


Table 3. Similar Approaches to Address Risk and Quality

  Risk Management Decision Making Continuous Quality Improvement
Step oneIdentify and evaluate risksIdentify and define a process breakdown
Step twoExamine risk management techniquesAnalyze the problem
Step threeSelect the best techniquesDevelop an action plan
Step fourImplement selected techniquesImplement the action plan
Step fiveMonitor and evaluate for effectiveness
Evaluate results to confirm that the process breakdown has been addressed

Related Resources

Topics and Metadata


Administrative and Support Services; Accidents; Culture of Safety; Ethics; Hazard and Recall Management; Health Information Privacy; Incident Reporting and Management; Medication/Drug Safety; Occupational Health; Quality Assurance/Risk Management; Root Cause Analysis; Security/Safety; Accreditation; Credentialing/Certification; Employment Affairs; Laws, Regulations, Standards


Ambulatory Care Center; Ambulatory Surgery Center; Hospital Inpatient; Hospital Outpatient; Substance Abuse Treatment Facility

Clinical Specialty



Healthcare Executive; Insurer; Legal Affairs; Patient Safety Officer; Quality Assurance Manager; Risk Manager; Utilization Management Professional

Information Type


Phase of Diffusion


Technology Class


Clinical Category



SourceBase Supplier

Product Catalog








Publication History

Published November 18, 2014