Jump to content

Risk question


Hello, it appears only one Risk Manager may be on this board and I have been perusing her posts for information relevant to my questions.

I need basic instruction related to confidentiality of incident reports. Is it expected that recommendations for corrections/improvements be provided without including specific details of the incident and/or employees?

I am accustomed to providing feedback (based on record review) directly to nurses, managers, directors on process and documentation improvement from a quality / compliance standpoint. I am working in risk dept temporarily and want to follow the process specific to risk (realizing fully there is overlap which makes it blurry).

Also, is there a recommended standard template that may be useful to me in providing such feedback/recommendations?

Thank you in advance.


Specializes in Healthcare risk management and liability.

RiskManager self-identifies as a 57 year old bald white male, but you can certainly think of me as 'her' as needed.

From my perspective, if I am dealing directly with the employee who is the subject of an incident report, I will usually go into specific detail of the incident and the targeted areas of improvement, and the same applies if I am dealing with the leadership of that particular employee. If as part of my resolution of the incident report, I am dealing with peers of the employee who is the subject of the incident report, I will provide a more de-identified version of the event and opportunities for improvement, in an attempt to avoid identifying the person(s) named in the incident report. I generally do not disclose who wrote the incident report, although that information is available to leadership.

In terms of a standardized format of presenting such recommendations, I start out by presenting the facts as from the incident report, ask for their clarification or feedback on those facts, ask for their thoughts on how the incident could have been avoided, ask for their suggestions on changes to minimize the chance of future incidents, present my recommendations on what should be done which incorporates their suggestions if I think they are relevant, come to a mutual agreement on an action plan, and how the action plan will be monitored if needed, or if anything else should be done to close the loop. This is likely not much different from what you are already doing from the QI perspective.

Feel free to post here if I may help with any other questions.

Thank you Mr. RM! Such a speedy reply on an Easter weekend Saturday certainly qualifies you for a bald avatar from allnurses (and i bet someone would second the motion by this newbie)...

If I may assume that you document your investigation findings/facts and recommendations as part of your IR resolution process (I understand what you say about de-identification); please advise if it is prudent, or not, to share such documentation and to what extent? As a nurse I am hardwired to documenting my work product in an attempt to be clear, but wonder if that should also be applied to the IR process (IE: statements about what happened, what the record reflects, RCA results, what is suggested / recommended to resolve/prevent in the future, and monitor plan prn). Or would a risk lawyer frown on such a thing?

Thank you again for your expedient, useful reply!


Specializes in Healthcare risk management and liability.

The risk management process at your facility is probably set up under a quality improvement or patient safety organization umbrella. This is important insofar as this allows you to invoke the Federal/State quality improvement privilege against legal discovery for your quality improvement and risk management work and documentation thereto. I document all of my investigations and resolutions up the wazoo, but I do so under my QI/RM framework so that I can assert privilege. I generally only share that documentation as provided for in my QI/RM process, such as my monthly patient safety/risk committee meeting, in which we review and discuss incidents, or I am sharing an incident report with leadership. I do not give my written incident reports, investigations or resolutions to people involved in the incident report. I provide them with information verbally, and then I document doing so in my incident report paperwork. I may provide them with written recommendations or an action plan, but I do this as a risk management memo to bring it under my QI privilege umbrella.

Again, your facility probably already has this process, and you should be certain to follow it. Privilege against discovery is probably never absolute, and has been chipped away over the years. You have to follow certain procedures in order to be able to assert that privilege, and willy-nilly dissemination of quality/risk documentation would be an excellent way to lose that privilege.

Thank you, very much, again.