CPHRM Questions and Answers

Under Health Care Risk Management standards recognized by ASHRM and the American Hospital Association Certification Center, the Safe Medical Devices Act SMDA is part of the FDA’s post market surveillance system for medical devices. The SMDA requires healthcare facilities to report to the FDA and, in some cases, to the manufacturer when a medical device has or may have caused or contributed to a patient death or serious injury. This mandatory reporting system enhances device safety monitoring and supports regulatory oversight after products enter the market.

EMTALA governs emergency medical screening and stabilization obligations, not device reporting. The Occupational Safety and Health Act focuses on workplace safety for employees rather than patient device-related injuries. Patient Safety Organizations operate under the Patient Safety and Quality Improvement Act and facilitate voluntary reporting of patient safety events, but they do not replace FDA-mandated device reporting requirements.

Legal and regulatory objectives in healthcare risk management emphasize compliance with federal reporting statutes, timely submission of required reports, and maintenance of documentation to mitigate regulatory exposure. Therefore, the Safe Medical Devices Act is the correct answer regarding mandatory FDA post market surveillance reporting for device-related deaths or injuries.

RCA and systems safety models (e.g., Swiss Cheese) emphasize that adverse events typically requiremultiple contributing factors—small process breakdowns, latent conditions, and active failures—to align. This is why focusing only on the last person who touched the patient (“sharp end blame”) rarely prevents recurrence. Risk management objectives are to identify and strengthen defenses: policies, training, equipment design, staffing models, communication standards, and redundancy where needed. A series-of-events understanding enables targeted corrective actions (forcing functions, standardization, automation with safeguards, independent double checks for high-alert processes). It also supports just culture: accountability is preserved for reckless behavior, but most improvement comes from redesigning systems that make errors more likely. This approach improves reliability, reduces repeat harm, and provides defensible evidence of organizational learning and corrective action.

According to Health Care Risk Management standards supported by ASHRM and the American Hospital Association Certification Center, patient and family engagement is a critical element of patient safety programs. Including lay persons on select committees, such as patient safety or quality committees, allows patients and families to contribute perspectives that enhance transparency and system improvement. Structured patient education opportunities empower individuals to understand their care, ask questions, and actively participate in safety practices, such as medication verification and infection prevention.

Event reporting by patients and families is another proactive strategy that promotes open communication and early identification of safety concerns. Encouraging patients to report perceived errors or near misses supports a culture of safety and partnership.

Referring patient events for peer review is an internal professional evaluation process focused on provider performance and quality improvement. While important for clinical oversight, it is not a technique designed to directly include patients and families in educational safety programs.

Clinical and patient safety objectives emphasize collaboration, transparency, and patient-centered care. Therefore, inclusion of lay persons on committees, patient education initiatives, and patient or family event reporting are appropriate techniques for involving patients in safety programs.

Voluntary reporting systems often generatemore reports, especially ofnear-misses and low-harm events, because staff perceive less punitive risk and greater learning value. This is crucial for proactive risk management: near-misses expose weak signals and system vulnerabilities before a patient is harmed. A robust voluntary culture supports a “just culture” approach—encouraging reporting while still holding people accountable for reckless behavior. Compared with mandatory systems (typically limited to defined serious events), voluntary systems improve the organization’s ability to identify patterns (communication failures, workflow traps, labeling issues, staffing risks), prioritize interventions, and measure improvement over time. Risk management objectives include earlier hazard detection, better trend analysis, and stronger safety culture. To maximize effectiveness, leadership must provide feedback loops (“you reported, we improved”), protect confidentiality where permitted, and couple reporting with structured analysis (RCA/FMEA). While voluntary reporting does not automatically confer legal privilege, it is a foundational learning system in high-reliability healthcare operations.

The HIPDB was established to help combathealthcare fraud and abuse, while the NPDB historically focused on practitioner competence and professional conduct (including items like malpractice payments and certain adverse actions). HRSA explains that HIPDB is no longer separate and that its information is now collected and disclosed through the NPDB following the 2013 merger. For risk managers, the objective is to ensure credentialing, contracting, and compliance teams understand the expanded scope and proper use: querying supports safer hiring/privileging decisions and reduces negligent credentialing risk, while reporting supports system integrity. Organizations must also ensure due process and correct categorization of reportable events to avoid wrongful reporting exposure.

According to Health Care Risk Management standards supported by ASHRM and enterprise risk management ERM principles, external factors include conditions outside the direct control of the organization that influence strategic, operational, financial, and regulatory risk exposures.

A physician shortage is an external workforce market condition that can affect staffing stability, access to care, and malpractice exposure. New regulations are also external factors, as legislative or regulatory changes may alter compliance requirements, reimbursement structures, or reporting obligations. Similarly, soft insurance market trends reflect external economic and underwriting environments that influence premium pricing, availability of coverage, and risk financing strategy.

Resolution of claims, however, is generally an internal operational or claims management outcome. While influenced by external legal environments, the resolution process itself is primarily part of internal risk management and litigation strategy rather than a broad external environmental factor.

ERM objectives emphasize analysis of external environmental drivers, including regulatory, workforce, economic, and market conditions. Therefore, physician shortages, new regulations, and soft insurance market trends are external factors affecting risk, while resolution of claims is not primarily classified as external.

According to Health Care Risk Management standards supported by ASHRM and the American Hospital Association Certification Center, insurance policy information is generally discoverable in litigation. Most jurisdictions require disclosure of applicable liability coverage, including policy limits, pursuant to civil procedure rules governing discovery. Therefore, when an interrogatory properly requests insurance policy information, the organization should provide the specifically requested information in coordination with defense counsel.

Providing more information than requested, such as automatically including excess limits if not asked, may exceed the scope of the interrogatory and should be guided by legal counsel. A certificate of insurance is not a substitute for responding to formal discovery requests, as it may not contain all required details regarding coverage, limits, and applicable policy periods.

Objecting to the interrogatory without valid legal grounds is generally inappropriate, as insurance coverage information is typically relevant to potential satisfaction of judgment.

Claims and litigation objectives emphasize cooperation with counsel, compliance with discovery rules, and accurate disclosure of coverage information. Therefore, the appropriate response is to provide the specifically requested insurance policy information in accordance with legal guidance.

Broad incident definitions (including near-misses and unsafe conditions) support proactive risk management. If reporting is limited only to severe harm, the organization loses learning opportunities from early warning signals. Risk management objectives favor capturing deviations from expected process—falls without injury, specimen labeling near-misses, medication dispensing discrepancies—because these events reveal system vulnerabilities that can later cause major harm. Strong incident management includes classification, timely review, escalation thresholds, root cause analysis for significant events, and feedback to frontline staff. This approach aligns with systems-based safety: identify hazards, implement controls, and monitor effectiveness.

Regulatory inspections must be handled professionally with controlled communication and documentation practices. Verifying credentials ensures the inspection is legitimate. Accompanying the inspector supports accurate information exchange, maintains chain-of-custody for requested materials, and helps ensure staff do not speculate or provide inconsistent answers. Risk management objectives include ensuring compliance, protecting patient safety, reducing regulatory penalties, and documenting interactions for follow-up. Facilities should have an inspection readiness plan: designated escorts, document control, subject matter expert availability, and a process to log requests and responses. This approach reduces operational disruption, supports transparency, and demonstrates a mature compliance culture.

Due diligence is a structured risk-identification and validation process used in mergers/acquisitions to understand clinical, legal, regulatory, operational, and financial exposures before closing. Objectives include discovering hidden liabilities (claims history, compliance gaps, credentialing issues, cybersecurity risks), validating revenue assumptions, assessing quality and safety maturity, and estimating integration costs. This informs valuation (including potential price adjustments), deal terms (representations/warranties, indemnities), and post-close priorities to improve performance and reduce adverse surprises. Risk management objectives include ensuring continuity of safe care during transition, aligning policies and governance, and preventing inherited regulatory violations or claims tail exposures.

According to Health Care Risk Management standards supported by ASHRM and accreditation guidance from The Joint Commission, patient-owned electrical devices brought into healthcare facilities must be evaluated to ensure they do not pose safety risks. The Joint Commission’s Environment of Care standards emphasize electrical safety, fire prevention, and reduction of hazards within patient care areas.

Before a patient-owned electrical device is used within the facility, an electrical safety inspection should be conducted to assess the integrity of cords, plugs, grounding, and overall condition. The purpose is to identify potential risks such as frayed wiring, overheating hazards, or improper voltage compatibility that could endanger patients, staff, or equipment.

Simply inventorying the device with personal belongings does not address safety concerns. Sequestering the device may be appropriate if it fails inspection, but routine confiscation is not required. While biomedical engineering departments often assist with inspections, tagging by biomedical engineering is not itself the required action; the essential requirement is that a safety inspection be performed.

Clinical and patient safety objectives emphasize proactive hazard identification and compliance with accreditation standards. Therefore, conducting an electrical safety inspection is the appropriate action for patient-owned electrical devices entering the facility.

In Failure Modes and Effects Analysis (FMEA), the Risk Priority Number (RPN) is commonly calculated as the product of three ratings:Severity (S)of impact,Occurrence (O)likelihood/probability, andDetection (D)ability to detect the failure before it causes harm (lower detectability increases risk). This structured scoring helps teams prioritize which failure modes deserve immediate mitigation. Risk management objectives include proactively identifying high-risk process steps (medication administration, specimen labeling, surgery scheduling), designing controls (standard work, forcing functions, redundancy), and tracking residual risk after changes. While cost and feasibility may influence selection of mitigations, they are not the core RPN elements. Using S–O–D improves transparency in prioritization, supports interdisciplinary alignment, and provides a defensible rationale for resource allocation toward patient safety improvements.

EMTALA applies when an individual comes to the ED and requires a medical screening exam to determine whether anemergency medical condition (EMC)exists. Conditions like myocardial infarction, ruptured appendix, and unstable labor can constitute EMCs because absence of immediate medical attention could reasonably be expected to place health in serious jeopardy. By contrast,stable chronic kidney failurewithout acute destabilization may not meet the EMC threshold—though the screening exam must be performed before that determination is made. Risk management objectives emphasize: never “triage out” without an appropriate screening exam, document findings and decision-making, and apply consistent policies to avoid discriminatory practice. EMTALA failures often stem from process breakdowns (delays, refusal, inadequate screening, improper transfer), so standardized ED workflows and training are critical.

Subrogation is the insurer’s right to seek recovery from a responsible third party after paying a loss. Awaiver of subrogationclause means the insurer (or self-insured entity) gives up that recovery right, usually to support business relationships and reduce litigation between contracting parties. Risk financing objectives include understanding when waivers are acceptable (balanced against increased retained loss), ensuring the waiver aligns with insurance policy endorsements, and preventing unintended coverage gaps. Poorly managed waivers can shift costs back onto the organization and complicate recovery efforts. Contracts should be reviewed to ensure the waiver is mutual when appropriate and consistent with the organization’s risk appetite and insurance program.

Under Health Care Risk Management principles outlined by ASHRM and the American Hospital Association Certification Center, a successful negligence claim requires proof of four essential legal elements: duty, breach of duty, causation, and damages. Duty refers to the legal obligation owed by the healthcare provider to the patient. Breach occurs when the provider fails to meet the applicable standard of care. Proximate cause establishes the direct link between the breach and the harm suffered.

The final required element is actual injury or damages sustained by the claimant. Without demonstrable harm, a negligence claim cannot succeed, even if duty and breach are proven. The injury may include physical harm, emotional distress, or financial loss, but it must be measurable and attributable to the breach.

Contributory negligence is a defense that may reduce or bar recovery but is not an element the claimant must prove. Punitive damages are awarded in exceptional cases involving egregious misconduct and are not required to establish liability. Gross negligence represents a higher degree of negligence but is not a required element in standard malpractice claims.

Therefore, proof of injury sustained is essential for a liability claim to succeed.

According to Health Care Risk Management standards supported by ASHRM, CMS Conditions of Participation, and The Joint Commission patient visitation standards, hospitals must have written visitation policies that respect patient rights. Patients generally have the right to designate visitors of their choosing, including individuals who are not immediate family members. Visitation cannot be restricted based on non-clinical factors such as relationship status or surrogate designation.

However, facilities may impose clinically reasonable or safety-based restrictions. If a visitor administers an unknown drug intravenously to a patient, this presents a clear and immediate threat to patient safety. Such conduct justifies restricting visitation to protect the patient from harm, maintain clinical control of treatment, and prevent unsafe interference with care.

Being known as a drug seeker in the community, without evidence of disruptive or harmful behavior during the visit, does not alone justify restriction under patient rights standards. Similarly, visitation cannot be denied solely because the individual is not the designated healthcare surrogate.

Legal and regulatory objectives emphasize balancing patient rights with safety and security. Therefore, a hospital may restrict visitation when a visitor’s actions pose a direct threat to patient safety.

According to Health Care Risk Management principles outlined by ASHRM and the American Hospital Association Certification Center, both deductibles and self-insured retentions are mechanisms used in risk financing to allocate a portion of loss to the insured organization. However, they function differently in relation to the insurer’s obligation.

A deductible is typically subtracted from the amount paid by the commercial carrier. In many policies, the insurer may pay the full claim amount and then seek reimbursement of the deductible from the insured, or the insured may pay the deductible portion while the insurer handles defense and indemnity payments above that amount. The key distinction is that coverage attaches immediately, but the insured ultimately bears the deductible portion.

A self-insured retention differs in that the insured must satisfy the retention amount before the insurer’s coverage is triggered. Until the retention is exhausted, the insured is responsible for payment and often for defense management.

Option B incorrectly describes a deductible as operating like a self-insured retention. Option C does not distinguish between the two mechanisms. Option D is incorrect because self-insured retention applies before, not after, carrier limits.

Therefore, the correct distinction is that a deductible is subtracted from amounts paid by the commercial carrier.

According to Health Care Risk Management standards supported by ASHRM and the American Hospital Association Certification Center, The Joint Commission’s sentinel event policy requires organizations to complete a thorough root cause analysis and develop an action plan within 45 days of becoming aware of the sentinel event.

The root cause analysis must identify underlying system failures and contributing factors rather than focusing solely on individual performance. The resulting action plan must outline specific corrective measures, assign responsibility, establish implementation timelines, and include mechanisms to monitor effectiveness. The emphasis is on sustainable system improvement to reduce the likelihood of recurrence.

Failure to complete the analysis and action plan within the required timeframe may result in additional review, accreditation consequences, or other follow-up actions by The Joint Commission. Timely completion demonstrates organizational accountability, leadership oversight, and commitment to patient safety.

Clinical and patient safety objectives emphasize structured investigation processes, documentation of corrective actions, and alignment with accreditation standards. Therefore, the required timeframe for completion of the root cause analysis and action plan following awareness of a sentinel event is 45 days.

Under Health Care Risk Management principles outlined by ASHRM and the American Hospital Association Certification Center, cases involving sterilization of minors, particularly those who are developmentally disabled, raise significant legal and regulatory concerns. The risk manager’s primary responsibility is to ensure compliance with applicable consent laws and protect patient rights while minimizing organizational liability.

First, determining who has legal consent authority is essential. When parents disagree, state law typically governs whether both parents must consent, whether one parent’s consent is sufficient, or whether court involvement is required. Second, evaluating the competency level of the patient is critical because decision-making capacity influences whether the patient can participate in consent or assent processes. Capacity assessments may require clinical and legal evaluation.

Third, state statutes and laws are highly relevant, as many jurisdictions impose strict legal requirements or court approval for sterilization of minors or individuals with developmental disabilities. These laws are designed to protect vulnerable populations.

The patient’s diagnosis alone is not the determining legal factor; rather, decision-making capacity and statutory requirements are central. Therefore, the risk manager must evaluate consent authority, competency, and applicable state laws to ensure regulatory compliance and ethical integrity.

According to Health Care Risk Management standards supported by ASHRM and the American Hospital Association Certification Center, occurrence coverage provides protection for incidents that occur during the policy period, regardless of when the claim is reported. The triggering event is the date of the occurrence. As long as the alleged act or omission took place while the policy was in force, coverage applies even if the claim is filed years later.

Option A is incorrect because occurrence coverage does not extend to incidents that occur prior to the policy’s effective date. Coverage is strictly tied to the policy period.

Option C is incorrect because in claims-made coverage, the retroactive date is critical. Coverage applies only to claims made during the policy period for incidents that occurred on or after the retroactive date.

Option D is incorrect because the “nose” period, also known as prior acts coverage, is highly significant in claims-made policies. It determines whether earlier acts are covered when switching carriers.

Risk financing objectives emphasize understanding policy triggers, retroactive dates, and reporting requirements. Therefore, occurrence coverage applies to incidents that occur while the policy is in effect.

The PSDA focuses onpatient autonomy and informed decision-making, especially aroundadvance directives. It requires certain healthcare organizations to inform patients of their rights under state law to make decisions about medical care, ask whether the patient has an advance directive, document it, and avoid discrimination based on whether an advance directive exists. The Act doesnotcreate a right for patients to select any medication they want irrespective of clinical appropriateness, prescribing laws, formularies, allergies, contraindications, or standards of care. Risk management objectives here include: ensuring compliant admission workflows (education + documentation), reducing disputes through early clarification of preferences, and preventing ethical/legal breakdowns during incapacity. Operationally, PSDA compliance improves care planning, reduces unwanted treatment, and lowers complaint/litigation risk by showing the organization respected patient rights and followed required processes.

The Healthcare Integrity and Protection Data Bank (HIPDB) was created to combat healthcare fraud and abuse; it isno longer operational as a separate bank, and its content was merged into the NPDB. Reporting and querying are governed by HRSA rules defining authorized entities, including certain peer review and oversight organizations in specific reporting frameworks. Risk management objectives include ensuring organizations understand which actions must be reported, ensure due process, and comply with data handling rules. Proper reporting supports system integrity by preventing practitioners or entities with serious adverse actions from moving undetected across organizations. For hospitals and health plans, this strengthens credentialing and contracting decisions, reducing organizational exposure to negligent credentialing and improper network participation risks.

Team-based care reduces errors by improving communication, cross-monitoring, workload distribution, and escalation when risk increases. TeamSTEPPS and related patient safety evidence show teamwork training can improve safety culture and reduce clinical error rates by creating predictable behaviors—briefs, huddles, check-backs, and mutual support. From a risk management standpoint, teamwork is a high-leverage control because many serious adverse events involve coordination failures (handoffs, unclear ownership, missed deterioration). Effective teams also reduce “single-point-of-failure” risk; when one clinician misses something, another can catch it. Organizations operationalize this through standardized communication (SBAR), structured handoffs, simulation, and leadership support for psychological safety so staff speak up. Team functioning is therefore not “soft skill”—it is a measurable safety barrier that reduces preventable harm and strengthens reliability in complex, high-acuity environments.

Core risk treatment strategies includeavoidance(stop the activity),reduction/mitigation(controls that reduce likelihood/severity),retention(accept risk within appetite and fund losses via reserves/self-insurance), andtransfer(contracts/insurance shifting financial consequences). In healthcare, the highest priority is often mitigation for patient safety risks (standardization, technology, training), with financing mechanisms ensuring the organization can absorb residual loss without destabilizing operations. ERM aligns these strategies to enterprise objectives so leadership invests in the best mix of prevention and financing.

According to Health Care Risk Management standards supported by ASHRM and the American Hospital Association Certification Center, periodic review of policies and procedures is essential to ensure alignment with current laws, regulatory standards, accreditation requirements, and best practices. Reviewing policies helps ensure consistency between written procedures and actual clinical practice, thereby reducing liability exposure.

Policy review also supports identification of potential risk exposures by detecting outdated language, conflicting guidance, or gaps in processes that could lead to adverse events. Additionally, monitoring compliance with standards—such as federal regulations, state statutes, and accreditation requirements—is a central purpose of policy review, ensuring that organizational practices meet required benchmarks.

Maintaining staff competency, however, is primarily addressed through education, training programs, credentialing, and performance evaluation processes. While policies provide guidance for staff conduct, competency assessment is not the primary objective of policy review itself.

Health Care Operations objectives emphasize governance oversight, regulatory compliance, and risk mitigation through clear, current policies. Therefore, maintaining staff competency is not a direct reason for performing risk management review of policies and procedures, making it the correct exception.

Under Health Care Risk Management standards supported by ASHRM and the American Hospital Association Certification Center, the implantation of a medical device that lacks FDA approval and Institutional Review Board oversight presents significant legal and regulatory violations. Use of an unapproved device outside of an approved investigational protocol may violate federal regulations governing human subject research and medical device approval processes.

The risk manager’s primary responsibility is to immediately mitigate regulatory and liability exposure. Because the procedure is scheduled for the next day, urgent intervention is required. Contacting the FDA would not resolve the immediate risk. Verifying informed consent is insufficient, as patient consent cannot legitimize use of an unapproved device outside regulatory pathways. Calling a special IRB meeting would not retroactively authorize an unapproved device without appropriate investigational device exemption processes.

Escalating the issue to the chief of surgery to halt or cancel the procedure is the most appropriate immediate step. This ensures that organizational leadership addresses the compliance violation before patient harm occurs. Risk management objectives emphasize proactive prevention of regulatory breaches, protection of patient safety, and preservation of institutional integrity. Therefore, stopping the procedure is the correct and immediate action.

The “sharp end” refers to the point in a system where clinicians directly interact with patients and deliver care—nurses administering medications, physicians performing procedures, therapists mobilizing patients, and so on. Errors at the sharp end are typicallyactive failuresthat are immediately visible, but they are often shaped by “blunt end” factors—staffing levels, training, equipment design, policies, and workflow constraints. Risk management objectives discourage blaming the sharp end alone; instead, they use incident analysis (RCA) to identify latent system conditions that make frontline errors more likely. Improving sharp-end safety includes standardization, teamwork tools (SBAR/TeamSTEPPS), human factors engineering, and reducing hazardous variability in processes. This systems approach helps prevent repeat events and supports a just culture where learning is prioritized while accountability is preserved for reckless conduct.

Under Health Care Risk Management principles defined by ASHRM and the American Hospital Association Certification Center, an adverse drug event refers to patient harm or potential harm related to the use of medication. This includes medication errors and adverse drug reactions that directly affect patient safety. Administration of a drug by the wrong route is a medication error that may result in patient harm and therefore qualifies as an adverse drug event. A drug reaction experienced by the patient is, by definition, an adverse drug reaction and falls within the broader category of adverse drug events. Similarly, an error in ordering or dispensing a drug represents a medication error that may cause or has the potential to cause harm to a patient.

In contrast, a controlled substance inventory discrepancy relates to regulatory compliance, diversion risk, or financial accountability, not direct patient injury. While such discrepancies are serious and fall under legal, regulatory, and operational risk domains, they do not constitute an adverse drug event unless patient harm occurs.

Clinical and patient safety objectives emphasize distinguishing between medication-related patient harm and regulatory or operational issues. Therefore, the controlled substance inventory discrepancy is not an adverse drug event.

According to Health Care Risk Management principles supported by ASHRM and the American Hospital Association Certification Center, organizations operating vehicle fleets must implement structured fleet risk management controls to reduce liability exposure. One of the most fundamental annual requirements is verification of each driver’s driving record, typically obtained through a motor vehicle record MVR review.

An annual driving record review allows the organization to confirm that drivers maintain valid licensure, identify traffic violations, detect patterns of unsafe driving behavior, and assess risk exposure. This proactive screening supports loss prevention, reduces the likelihood of negligent entrustment claims, and ensures compliance with organizational driving policies.

Mileage logs are operational tools used for tracking usage and reimbursement but do not assess driver eligibility or risk. Driver training is important for safety programs but is not the minimum required documentation to confirm driver qualification status. Proof of insurance may be required when employees use personal vehicles for business purposes, but it does not replace the need to review the driver’s official record.

Health Care Operations objectives emphasize credential verification, regulatory compliance, and proactive liability mitigation. Therefore, obtaining and reviewing each driver’s driving record annually is the minimum required documentation.

Multiple studies showphysicians report fewer incidentsthan nurses and other hospital staff in many voluntary reporting systems, influenced by cultural norms, fear of blame, time constraints, and preference to manage issues “in-house.” This matters because underreporting distorts risk signals: leadership may miss trends in diagnostic delays, handoff failures, and near-misses that physicians uniquely observe. Risk management objectives therefore focus on reducing barriers: simplifying reporting, enabling quick mobile submissions, emphasizing psychological safety, and providing credible feedback that reporting leads to improvement (not punishment). Another proven strategy is integrating reporting into professional practice expectations and aligning medical leadership with “just culture” principles. Increasing physician reporting improves system learning, strengthens peer review insight, and supports defensibility by showing hazards were identified and addressed.