Policies and Procedures for Healthcare Organizations: A Risk Management Perspective

By Anne V. Irving, MA, FACHE, DFASHRM

Risk management professionals

“Large healthcare institutions may be the most complex in human history, and even small healthcare organizations are barely manageable.” ~Peter Drucker

Risk management professionals should not take lightly the complexity associated with providing healthcare services. While regulations, third-party payer requirements, and licensing/accreditation standards contribute to this complexity, formalized policies and procedures can mitigate it by promoting workplace safety, regulatory compliance, and the delivery of safe, high-quality patient care. Moreover, well-written, up-to-date policies and procedures reduce practice variability that my result in substandard care and patient harm.

The operational challenges associated with drafting (and maintaining) comprehensive written policies place heavy demands on healthcare managers. Given increasing financial pressures and the top-priority status that must be given to direct patient care, managers may find it difficult to find time to review or update policies and procedures. Deferring policy and procedure development, however, may result in negative consequences. Policies and procedures may become outdated, and those who adhere to outdated policies may carry out actions that are no longer consistent with industry-recognized practices. Alternatively, they may simply elect to disregard the policy. Either choice may result in patient harm and a malpractice claim. Evidence that caregivers followed outdated policies may hinder defense of an otherwise defensible claim.

The Purpose of Policies and Procedures

Formalized, written policies and procedures fulfill a number of important purposes:

  • Facilitate adherence with recognized professional practices.
  • Promote compliance with regulations, statutes, and accreditation requirements (e.g. HIPAA, EMTALA, CMS Conditions of Participation, DNV/Joint Commission).
  • Reduce practice variation.
  • Standardize practices across multiple entities within a single a health system.
  • Serve as a resource for staff, particularly new personnel.
  • Reduce reliance on memory, which, when overtaxed, has been shown to be a major source of human errors or oversights.

These functions demonstrate how central policies and procedures are to the healthcare system’s patient safety program.

Definition of Terms

There is little agreement among healthcare regulators, accrediting bodies, and provider organizations about the definitions for terms such as policy, procedure, and guideline. The use of the word “policies” throughout this article shall refer to policies, procedures, and guidelines. The following definitions are based on the author’s experience.
Policy statement: A concise statement outlining the context, goal, or purpose of a specific procedure. A statement that is the guide to any decision making in relation to processes or activities that regularly take place or might be expected to occur (Hollnagel et al., 2014).
Procedure: The desired, intentional action steps to be taken by specified persons to achieve a certain objective in a defined set of circumstances.
Protocol: Synonymous with procedure. Often used when describing clinical patient care-related interventions. For example, a chemotherapy protocol or The Joint Commission’s Universal Protocol for Preventing Wrong Site, Wrong Procedure and Wrong Person Surgery.
Guideline: Recommended actions for a specific situation or type of case. A clinical practice guideline could, for example, outline blood-testing practices for patients who are taking anticoagulants.

Problematic Policies

When a domain unknowingly develops a policy or procedure that already exists—perhaps another domain issued a similar policy earlier—there will likely be differences, resulting in confusion as to which policy should be followed. Discrepancies in clinical policies may also result in allegations that leadership allowed “two levels of care” to be provided, thereby increasing the organization’s risk exposure in several ways. First, exposure may be triggered by inconsistency with The Joint Commission’s leadership accreditation standard, LD.04.03.07: Patients with comparable needs receive the same standard of care, treatment, and services throughout the hospital (Schyve, 2009). Second, and perhaps more importantly, if the treatment given in a specific case followed the less rigorous of the two policies, a plaintiff who suffered harm may allege that his/her care “did not fulfill the legal standard of care.”

Allegations may include:

A nurse’s or physician’s failure to adhere to policy.

  • Corporate negligence on behalf of a hospital that failed to adopt appropriate policies, adequately train the staff with regard to these policies, implement them, or evaluate how they are used (Destache, 2013).
  • The policy was inconsistent with the standard of care.
  • Policies the organization had in effect were contradictory to other organizational policies, differed across entities in the same system without a basis for the difference, or were inconsistent with applicable regulations.

Many healthcare organizations seem to misunderstand the purpose of policy statements and burden them with non-value-added or overly broad information. That may invite a plaintiff lawyer to take a statement out of context and allege that it places an obligation on the defendant that was not intended. The following example illustrates problematic and preferred phrasing within a policy statement:

What is the ‘Stan dard of Care’?

Defendant healthcare providers sued for medical malpractice must demonstrate they complied with the “standard of care,” which is a subjective standard built to answer the question, “What is the reasonable care that should have been provided by a reasonable healthcare provider in the same or similar circumstances?” The standard of care is not established by any single objective resource; it is culled from the testimony of experts with similar knowledge and training as the defendant and who have testified at trial about the facts of the case. They opine in retrospect about what a reasonable healthcare provider with similar training and experience would have done.

Problematic EMTALA policy statement:
The federal government passed the Emergency Medical Treatment and Active Labor Act (EMTALA) in order to require hospitals to offer treatment to all persons who seek care. They also passed this Act in order to prevent “patient dumping”—when a hospital refuses to treat or transfers a patient to another hospital, such as for financial reasons. It is ABC hospital’s policy to provide care to all patients and to refrain from patient dumping.
This description is oversimplified, potentially misleading, and fails to conform tightly to the EMTALA regulations.

Preferred EMTALA policy statement (which precedes a detailed procedure):

The procedure below is intended to promote compliance with the federal Emergency Medical Treatment and Active Labor Act, its amendments, regulations, and reporting requirements. The procedural steps that apply to a given person/case may differ depending on such factors as (but not limited to): the venue to which the prospective patient presents; whether he/she requests a “medical screening examination,” and the confirmation of the presence or absence of an “emergency medical condition” as defined by the Act. Requests to accept patients (with an emergency medical condition) in transfer from another acute care hospital will be handled in accordance with the procedures noted below, with consideration of the hospital’s capabilities and capacity to provide the level and type of care required at the time of the request.

Questions about these procedures shall be directed to the Legal Department or the Administrator-on-Call on a “live time” basis.

Disclaimer Statements

Each policy should include a disclaimer statement to remind staff members that they must use their judgment to determine if all parts of the policy and procedure apply to each situation or whether some type of modification is warranted. The disclaimer may also help the organization defend allegations that a staff member‘s actions failed to follow a policy, when he/she testifies that he/she deemed it appropriate to make adaptations given the presenting circumstances. Typical disclaimer statements include the following (which should be approved by legal counsel):

  • A policy statement is intended to describe the reason why the associated procedure has been issued and to explain the context for it.
  • Procedures are resources to assist staff in carrying out specific actions. Procedures do not specify all circumstances to which they apply.
  • Procedures cannot, in themselves, guarantee safety. Safety is promoted by people being skilled at judging when and how (and when not) to adapt procedures to local circumstances.
  • Clinical situations may warrant adaptation due to unique patient characteristics.
  • Extenuating circumstances may also necessitate adaptation.

Professional Associations’ Practice Guidelines

When developing or updating clinical policies, the first step is usually to identify whether pertinent professional associations have published practice guidelines on the subject. For example, when writing a policy that pertains to the delivery of patient care in an emergency department, reviewing guidelines issued by the American College of Emergency Physicians and the Emergency Nurses Association would be a logical first step. Such guidelines are thoroughly researched and vetted by the issuing association before release. These practice guidelines are often introduced as evidence of the standard of care in a malpractice case.

Professional association recommendations lack the authority of statutes or regulations, making them advisory rather than mandatory. It is important to remember, however, that if a hospital’s procedures differ from those outlined in a professional association-issued guideline on the same subject, without a bona fide reason, that disparity may be called into question. For instance, ABC hospital’s surgical count procedures did not require instrument counts, as specified in the Association of periOperative Registered Nurses (AORN) practice standards (2013, p. 311). If a surgical operation at ABC hospital results in a retained instrument and becomes a claim, the plaintiff counsel will likely allege that the perioperative counts procedure was substandard because it was less rigorous than those recommended by AORN.

Implementing New or Revised Policies

The organization has a duty to inform all affected personnel prior to the effective date of a new or revised policy. Failure to do so may cause a staff member to follow an outdated policy, possibly comprising patient care as well as potential allegations of corporate negligence. To protect the organization from corporate negligence claims, documentation that affirms all affected workers—including floating, part-time, and traveling employees—have reviewed the new or revised policy prior to its effective date should be collected and kept on file.

By allowing a period of time between the approval date of a policy and its effective date managers have time for associated training. Legal counsel should determine the length of time documentation of this type of training should be maintained, factoring in applicable statutes of limitations.

When a new policy or procedure pertains to the use of a new medical device, pharmaceutical agent, or clinical procedure, hands-on training may be warranted, in addition to sharing information about the written policies. Although such training may be provided by the manufacturer/vendor or someone in the organization (e.g.. a nurse educator), the manager for each unit or department should be assigned responsibility for: a) assuring that all staff members working in his/her unit/department have received training in the designated timeframe and attained a passing score on the competency verification test or observations and b) collecting and retaining associated training records.

Table 1. Policy and Procedure Development Guidelines



Define all terms used within the policy.

It is useful to put these definitions at the beginning of the policy. If terms are not defined, they may be misconstrued by staff and/or when later scrutinized by plaintiff lawyers.

Refrain from using superlative words or statements,
such as:

a) Highest, safest, best (level of care)
b) Assure, ensure (preferable to use “to promote”)

The presence of superlative adjectives is sometimes alleged by plaintiff lawyers to be a “guarantee” of a certain outcome.

Exercise caution when using absolutes such as shall, must, or do not unless intended as such.

Many circumstances allow for clinical judgment.

Select a simple, recognizable name for the policy.

Naming a policy “Chain of Command Policy” is preferable to naming it, “Disagreement over patient care.” Staff will have an easier time locating a policy with a familiar name.

Combine separate policies on the same subject into one policy. If it becomes lengthy, create a table of contents so the user can easily locate specific sections.

For instance, the policy for medical screening examinations, transfer in/out, reporting EMTALA violations, etc. should appear in a single EMTALA policy.

Use the active rather than the passive voice when writing specific procedure action steps.

Passive voice: “The specimen container should be labeled.”

Active voice: “Place a label on the specimen container.”

Ensure responsibility for carrying out each action step is explicitly stated, not implied.

Each section should have two columns: the one on the left outlines the action to be taken, and the one on the right says who is responsible for carrying out each step.

Obtain the sign-off of all stakeholders (domain leaders) affected by each policy, as well as each oversight committee or entity that reviewed and approved of it (e.g.. Medical Executive Committee [MEC]).

It is not uncommon to see “nursing” policies that outline actions an independently credentialed physician is expected to take. Any policy that outlines medical staff responsibilities warrants their input during development and subsequent reviews. Medical staff members also need to know where to access those policies.

Require each approving entity or person to sign off on each individual policy. In years past, paper policy manuals often included a “cover sheet” as a sign-off page, which showed the date of approval and signature of the approving leader, in lieu of him/her signing each policy.

Cover sheets for sign off are not effective for electronic documents.

Note the date of origin of the policy and each subsequent review or modification date within the body of the policy, typically on the last page near the sign-offs:

Date of origin: ____

Review date: ____

Review date: ____

Pay particular attention to how the approvals for subsequent policy updates are documented in the electronic version of the policy.

Establish naming and numbering conventions for use across the health system.

Number all pages, reflecting the total number of pages as well: page 1 of 5, 2 of 5, etc. Put the policy title/number in the header of each page.

Note other policies on a similar subject that may be useful at the end of the policy, for cross-reference purposes. Incorporate any related form(s) or computer screen images referred to in a policy

For example, the disclosure policy should cross-reference adverse event reporting policy, the patient complaint/grievance policy, and the bill hold/adjustment policy. Also for example, the EMTALA transfer form should be a part of the EMTALA policy.

Cite specific federal or state statute(s) that are the basis for a policy or procedure with any other references.

It may also be helpful to put a URL link to those statutes.

At the end of the document, note evidence-based
resources referred to when developing the policy.






Some organizations simply place a list of resources as an attachment to each policy, so that it is not a part of the actual, page-numbered policy document.

Noting the referenced resources in each policy has both advantages and disadvantages. The advantage is that readers are aware of a professional source for more information on that subject. Another advantage is that it demonstrates the policy was developed with awareness of recognized professional guidelines and evidence-based best practices. However, potential risks arise when: a) the organization’s policy differs from the cited professional guidelines or omits some key element noted in those guidelines; b) If the cited professional guideline is updated following issuance of the policy, and the organization has not updated the policy accordingly.

Doing so means that if the organization has to produce the policy during discovery, the list of resources need not be turned over, since it “was not part of the policy itself”.

Avoid under-specifying: Put all essential elements in the policy.

For instance, stating that “X action shall be taken” does not specify which staff member is responsible for carrying out the task.

Avoid developing policies that outline actions that are more rigorous than the typical “standard of care.”

If a hospital implements a policy that goes beyond what is the prevailing practice in the industry, the organization will be held to the higher standard.

Use caution when approving a policy on a specific topic or practice that simply states that staff shall adhere to the practices outlined in “ABC Textbook” (and does not outline the organization’s own steps).

Citing a reference as the policy may be appropriate in a narrow range of situations. For example, the American College of Radiology publishes an evidence-based, comprehensive “Use of Contrast Media Manual” with regular updates. Rather than develop its own policies on this subject (which would likely be shorter and oversimplified when compared to this manual), a hospital-based radiology department may wish to endorse the staff’s use of this manual, with the proviso noted to the right.

Doing this implies: a) the cited book is the most updated authoritative source on that subject; b) the responsible domain leaders have reviewed the book from cover to cover and have “endorsed” all of its contents; c) staff members have ready access to that resource (at all times); and d) there is a process in place to monitor when the ACR issues a revised version of this manual, so the organization does not continue to use guidelines that may have changed.

‘Red Rules’

Frustrated by continued reports of noncompliance with important patient safety rules, some healthcare organizations have classified selected requirements as “red rules.” Doing so, they believe, gives greater emphasis to their importance and is intended to make staff pause and reconsider before they choose to act in a way that differs from the red rule.

When choosing which practices to designate as red rules, leaders must first determine that the practice must be performed without fail, in every case, without exception. Next, they must empower all staff to intercede in real time and “stop the line” if they witness a red rule violation, since non-adherence poses a significant risk of patient harm. Red rule violations are subject to discipline in many organizations, unless the party involved can provide legitimate reasons why that step was skipped.

Leaders who choose to designate key safety practices as red rules should do so thoughtfully; having too many red rules is difficult to manage and may be counterproductive. The Institute for Safe Medication Practices (2008) supports the use of red rules and emphasizes that they should be “few, well-understood, and memorable.”
Practices worthy of classification as red rules may include:

  • Performing a time-out before an invasive procedure.
  • Performing instrument, sponge, and needle reconciliation counts during an invasive procedure.
  • Verifying a patient’s identity using two identifiers.
  • Requiring two nurses to independently verify the patient’s identity and the intended blood product’s labeling prior to beginning a transfusion.

Before implementing red rules, a multidisciplinary team with representatives from senior leadership, the medical staff, and risk management, should carefully consider each suggested rule to determine if it meets the criteria outlined above.

Standardizing Policies across the System

When there are multiple hospitals within a health system, there is little justification for allowing each hospital to independently develop its own policies. Disparate policies can expose organizations to risk because a plaintiff lawyer may allege that one entity’s policy was less comprehensive than the other’s and thereby represented a lower standard of care. Policies and procedures of the following types lend themselves to being “system” policies:

  • Those designed to promote compliance with federal regulations (i.e., CMS Conditions of Participation, EMTALA, HIPAA, ADA, Safe Medical Device Act) or accreditation requirements (Joint Commission, DNV);
  • Those that describe specific patient-care related practices (i.e. induction of labor, patient triage in the ED, specimen collection);
  • Clinical practice guidelines approved by the medical staff for defined situations or cases.

In the event a specific policy does not apply to one entity in the system (i.e., Hospital X does not have an emergency or OB department so EMTALA may not apply), the system policy can specify that it does not apply to Hospital X.

Electronic Policy Libraries

Most healthcare organizations have replaced paper policy and procedure manuals with electronic policy libraries available on the organization’s intranet, which greatly enhances access. To optimize the usefulness of electronic libraries:

  • Provide indices by policy name, subject, and sponsoring domain (administration, nursing, pharmacy, etc.)
  • Incorporate “word search” functionality in order to facilitate searches for pertinent policies irrespective of their issuing domains. Without such a search function, staff may have difficulty locating the policy they are seeking.
  • Do not prohibit access to policies of one domain to personnel in other domains. There may be legitimate reasons why persons in other departments may need to refer to those documents.
  • Immediately remove a policy that has been officially retired or replaced from the “active” database and transfer it in the designated archives.
  • Create an electronic archive for storing “retired” or prior versions of policies. This will facilitate access in response to legal discovery requests. Check with your corporate compliance office regarding organizational document retention policies.


Healthcare risk managers are encouraged to collaborate with other senior leaders in their organizations in order to maximize the usefulness of policies and procedures and reduce potential associated risks. The following strategies represent best practices observed by the author:

  • Designate a senior leader to oversee policy development, approval, and periodic review by the appropriate policy owner(s). The Corporate Compliance Office and the Legal Department are well-suited for this responsibility since many policies pertain to regulations.
  • Create a tracking mechanism that will identify when each policy’s periodic review is due, issuing advance notice to the policy owner in order to assure timely response.
  • Issue policy development guidelines and train managers in their use.
  • Create a system-level policy and procedure oversight committee with multidisciplinary membership and representatives from all entities. Consider forming domain-specific subcommittees for each department: nursing, pharmacy, biomedical engineering, etc.
  • Incorporate training about policy and procedure compliance in new-employee orientation programs. Include discussion of each staff person’s duty to exercise judgment in specific situations and determine if any part of the policy or procedure warrants modification. In such circumstances, the staff member must understand the need to document the rationale for that decision—and the manner in which the procedure was modified—in the patient’s medical record.
  • Hold managers accountable for policy development, review, and revision. Incorporate review of this responsibility into the annual performance appraisal process.
  • Implement a feedback mechanism so staff can report situations to management that resulted in a near miss event or necessitated some form of workaround. Situations that prompt staff to use a workaround indicate possibly unreliable processes or practices. By reporting them to management, with the expectation that they will be investigated and addressed, the potential for patient harm may be reduced.
  • Establish a committee to review the policies of any newly-acquired business units or practices and compare them to those already within the health system. Identify policy disparities and develop a plan for standardization, unless there are legitimate reasons why the system’s current policy needs to be modified in whole or in part, because of different jurisdictional statutes or different services offered by a particular organization.

Are policies and procedures discoverable?

The answer depends on the laws in effect in the jurisdiction where the health provider organization is located, the scope of its “peer review privilege” statute(s), if any, and precedent-setting judicial decisions. For instance, in the Commonwealth of Virginia, discovery of such documents is generally allowed, with the proviso that they may be deemed inadmissible later in the legal process for a given suit (Creager, 2008).

The risks associated with writing, updating, and implementing policies and procedures are often under-appreciated by healthcare managers. Healthcare risk managers, particularly those shifting to an Enterprise Risk Management approach, may wish to draw upon the ideas in this article as they: a) collaborate with system leaders in developing “system-wide” policies and procedures (modified to meet a unique characteristic of a specific entity); b) meet with department or service line managers to identify optimal policy formats and content; and c) offer input to corporate leaders regarding policy review and updating practices.

Anne Irving is assistant vice president of risk management for Premier Insurance Management Services. She may be contacted at Anne_Irving@premierinc.com.



Association of periOperative Registered Nurses. (2013). Perioperative Standards and Recommended Practices for Inpatient and Ambulatory Settings. 311.

Creager, R. T. (2008). The ‘peer review privilege’ should not shelter hospital policies and procedures from Discovery. Litigation News, Virginia State Bar, XIII(9).

Destache, D. M. (2013, April 30). Hospital policies: Will they be a burden or a benefit to you in litigation? Midwest Legal Advisor. Lamson, Dugan and Murray, LLP.

Hollnagel, E., Braithwaite, J., & Wears, R. L. (Eds.). (2014). Resilient health care. Surrey, England: Ashgate.

Institute for Safe Medication Practices. (2008, April 24). Some red rules shouldn’t rule in hospitals. Medication Safety Alert! Retrieved from http://www.ismp.org/newsletters/acutecare/articles/20080424.asp

Schyve, P. M. (2009, winter). Leadership in healthcare organizations: A guide to Joint Commission leadership standards, A Governance Institute White Paper. Retrieved August 19, 2014, from http://www.jointcommission.org/assets/1/18/wp_leadership_standards.pdf